The likeUser
function() is vulnerable to front-running, allowing attackers to manipulate match rewards by submitting transactions with higher gas fees before legitimate users.
Victim submits likeUser
transaction.
Attacker detects it in the mempool and submits the same action with a higher gas fee.
The attacker's transaction executes first, claiming rewards unfairly.
Attackers can prioritize their transactions, ensuring they match first and claim rewards unfairly.
Exploits the matchRewards
function to redirect ETH rewards.
Leads to manipulation of the matching system, reducing fairness.
Manually
1. Use a Commit-Reveal Scheme
Instead of immediately storing the like, require users to commit a hashed like first, then reveal it later.
2. Add a Time Lock Before Match Execution
Introduce a delay before matchRewards()
can be triggered, making front-running less effective.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.