Submission Details
Severity:
Potential Front-Running in scheduleBatch
Summary
An attacker could front-run the scheduleBatch transaction to schedule a malicious operation with the same targets, values, calldatas, predecessor, and salt.
Vulnerability Details
function scheduleBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata calldatas,
bytes32 predecessor,
bytes32 salt,
uint256 delay
) external override onlyRole(PROPOSER_ROLE) returns (bytes32) {
// Input validation: check if the number of targets, values, and calldatas are the same
if (targets.length == 0 || targets.length != values.length || targets.length != calldatas.length) {
revert InvalidTargetCount();
}
// Check if the delay is within the allowed range
if (delay < _minDelay || delay > _maxDelay) {
revert InvalidDelay(delay);
}
// Check predecessor if specified
if (predecessor != bytes32(0)) {
if (!isOperationDone(predecessor) && !isOperationPending(predecessor)) {
revert PredecessorNotExecuted(predecessor);
}
}
@>> bytes32 id = hashOperationBatch(targets, values, calldatas, predecessor, salt);
Impact
Tools Used
Recommendations
Use a unique salt for each operation to prevent collisions.
Consider adding a nonce or counter to ensure uniqueness of operation IDs.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.