Christmas Dinner

First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Submission Details
Severity: high
Invalid

Exploitation of Front-Running in Token Deposit Function

Summary

The current implementation of the deposit function allows users to deposit tokens before a specified deadline without any minimum amount restriction. This introduces a critical vulnerability where an attacker can exploit the system by front-running legitimate users. Specifically, just before the deadline, an attacker can:

  1. Monitor pending transactions from genuine participants intending to deposit and participate.

  2. Front-run those transactions by depositing a minimal amount, which can manipulate the outcome of the process (e.g., finalizing the list of participants or determining rewards) and after refund the money used in this attack leaves the participaton list small and the legimit persons who want to participate and come to dinner wont get the chance.

This issue is exacerbated by the absence of a minimum deposit threshold, allowing attackers to execute the exploit with negligible cost.

Vulnerability Details

function deposit(address _token, uint256 _amount) external beforeDeadline {
if(!whitelisted[_token]) {
revert NotSupportedToken();
}
if(participant[msg.sender]){
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
participant[msg.sender] = true;
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
}

Observe that there is no limit set for amount in the deposit function and due which it is vulnerable to FrontRunning attack.

Impact

There is no validation to ensure _amount exceeds a specific threshold. This allows deposits of any size, including negligible amounts, which can be exploited in front-running scenarios.

Front-run those transactions by depositing a minimal amount, which can manipulate the outcome of the process (e.g., finalizing the list of participants or determining rewards) and after refund the money used in this attack leaves the participaton list small and the legimit persons who want to participate and come to dinner wont get the chance.

Tools Used

Manual

Recommendations

Implement a Minimum Deposit Threshold

require(_amount >= minimumDeposit, "Deposit amount too small");

Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.