Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Mempool Delay Exploitation in ZENO Auction Buy Function

0xkann

Summary

The ZENO auction's buy function is vulnerable to a mempool delay attack, where a malicious actor can intentionally delay another user's transaction. By exploiting mempool ordering and network fee dynamics, the attacker can cause a victim's transaction to execute at a later block timestamp, leading to a higher token price calculation and forcing the user to pay more USDC than anticipated because of the getPrice() function.

Vulnerability Details

The buy function calculates the cost of tokens based on the current block timestamp using the getPrice() function. This time-dependent pricing mechanism introduces an exploitable window where:

Delayed Execution: A malicious user can manipulate the transaction ordering in the mempool. By using higher gas prices or strategically timing their transactions, the attacker can cause a victim's transaction to be delayed.
Price Increase Over Time: Since the token price is recalculated at the time of execution, any delay in the victim's transaction causes the getPrice() function to use a later timestamp. If the auction pricing model increases the token price over time, the victim ends up paying more than expected.
Exploitation Techniques: The attacker can monitor the mempool for pending transactions from users and then broadcast high-priority transactions (or even bribe miners) to ensure that the victim’s transaction is pushed to a later block. This manipulation directly impacts the computed cost within the buy function.

function buy(uint256 amount) external whenActive {

require(amount <= state.totalRemaining, "Not enough ZENO remaining");

uint256 price = getPrice();

uint256 cost = price * amount;

require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");

bidAmounts[msg.sender] += amount;

state.totalRemaining -= amount;

state.lastBidTime = block.timestamp;

state.lastBidder = msg.sender;

zeno.mint(msg.sender, amount);

emit ZENOPurchased(msg.sender, amount, price);

}

Impact

Financial Loss for Users: Victims may end up paying significantly more USDC than they originally intended due to the increased price when their transaction is eventually executed.

Tools Used

Manual Review

Recommendations

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.