Summary

The _createContingentPool function is vulnerable to front-running attacks. Malicious actors can monitor pending transactions in the mempool and manipulate the transaction order to their advantage. By submitting a transaction with a higher gas fee, an attacker can execute their transaction before the legitimate user's transaction, creating a pool with manipulated parameters or exploiting price changes. -

Impact

Collateral Token Price Manipulation:

- The attacker manipulates the price of the collateral token before the user's transaction is executed.

- The user ends up creating a pool with unfavorable terms, while the attacker profits from the price movement.

Proof of concept

- A user submits a transaction to create a pool with the following parameters: Collateral Token: USDC ,Collateral Amount: 100,000 USDC , Reference Asset: ETH/USD , Expiry Time: 30 days ,Floor: $1,500, Cap: $2,500

The transaction enters the mempool.

- The attacker monitors the mempool, identifies the transaction, and submits a new transaction with the same parameters but :Floor: $1,400 ,Cap: $2,600

- The attacker sets a higher gas fee, ensuring their transaction is mined first.

- The user's transaction results in a less favorable pool.

Recommendations

Implement a two-step process:

• Step 1: Users submit a hashed commitment of the pool parameters.

• Step 2: Users reveal the parameters after a set period.