DatingDapp

First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Severity: medium
Invalid

Front-Running Attack in LikeRegistry Contract

Summary

The likeUser function() is vulnerable to front-running, allowing attackers to manipulate match rewards by submitting transactions with higher gas fees before legitimate users.

Vulnerability Details

Victim submits likeUser transaction.

  • Attacker detects it in the mempool and submits the same action with a higher gas fee.

  • The attacker's transaction executes first, claiming rewards unfairly.

Impact

Attackers can prioritize their transactions, ensuring they match first and claim rewards unfairly.

  • Exploits the matchRewards function to redirect ETH rewards.

  • Leads to manipulation of the matching system, reducing fairness.

Tools Used

Manually

Recommendations

1. Use a Commit-Reveal Scheme

Instead of immediately storing the like, require users to commit a hashed like first, then reveal it later.

2. Add a Time Lock Before Match Execution

Introduce a delay before matchRewards() can be triggered, making front-running less effective.

Updates

Appeal created

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.