Pieces Protocol

Summary

The buyOrder function is vulnerable to front-running and race conditions due to reliance on array index manipulation (swap-then-pop) for managing orders. An attacker or competing user can manipulate the array state between transaction submission and execution, leading to unintended purchases or loss of funds.

Vulnerability Details

Root Cause: The function uses array indices (orderIndex) to identify orders, but when an order is removed, the array’s last element is swapped into the removed order’s position. This changes the state of the array and invalidates previously referenced indices.
Exploit Mechanism:
1. User A identifies and tries to purchase an order at a specific orderIndex.
2. Before User A’s transaction is mined, User B submits a transaction that buys an order and alters the array state by swapping the last element into orderIndex.
3. When User A’s transaction is executed, it references the updated array and unintentionally buys a different order.

Impact

This vulnerability can lead to unintended purchases caused by array state manipulation, where users may buy entirely different orders than they intended. An attacker or competing user can exploit the reliance on array indices by front-running or racing to modify the state of the order array, leading to financial losses or unexpected outcomes. Furthermore, malicious bots could exploit this behavior to manipulate user transactions, increasing the likelihood of unfair practices and frustration among legitimate users.

Tools Used

Manual Review

Recommendations

To mitigate this issue, the platform should replace the current array-based order management system with a mapping structure that uses unique, immutable identifiers (orderId) for each order. This ensures that orders are referenced consistently and prevents state manipulation through array index changes. Additionally, the use of a mapping eliminates the need for the swap-then-pop logic, simplifying the codebase and making it more secure. Transactions should validate the orderId during execution to ensure that the referenced order remains valid and unchanged.

Optionally, the platform can implement a reservation mechanism to temporarily lock orders during pending transactions, providing users with additional protection against front-running and race conditions. These changes collectively improve transaction integrity, user trust, and platform reliability.