Possible transaction ordering (backrunning) attack in Like Registry's Reward Distribution mechanism.
Summary
The LikeRegistry contract's reward distribution mechanism can be manipulated through a timing attack that allows malicious users to minimize their capital requirements while maximizing potential returns.
Vulnerability Details
The likeUser function creates an asymmetric economic incentive where the second person to "like" determines when the match occurs and the rewards are distributed. This can be exploited by monitoring pending transactions and timing likes to maximize return
##POC
Attacker monitors mempool for likeUser transactions
When they see a high-value like (e.g., 10 ETH), they:
Front-run with a minimum 1 ETH like to the sender
Wait for the original high-value transaction
Back-run with their own likeUser call
This guarantees them a match with minimal capital risk
Impact
System can be gamed by sophisticated users
Legitimate users may lose potential matches to attackers
Creates negative user experience
Tools Used
Manual Analysis, foundry
Recommendations
Implement a minimum holding period before likes can be matched
Add randomization to match timing
Implement minimum stake requirements that scale with platform usage
Consider a batch processing system for matches
Add anti-MEV protections
Consider implementing a commit-reveal scheme for likes
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.