The mint
function in RAACnft.sol
is vulnerable to frontrunning, allowing attackers to steal desirable NFTs by submitting a transaction with a higher gas fee before the original buyer's transaction is confirmed.
2025-02-raac/contracts/core/tokens/RAACNFT.sol at main · Cyfrin/2025-02-raac
Bob finds a special NFT (house) at a discounted price and submits a mint
transaction with 10 ETH for TOKEN_ID
.
Eric, an attacker monitoring the mempool, detects Bob’s transaction.
Eric submits the same mint transaction (mint(TOKEN_ID, 10 ETH)
) but with a higher gas fee (e.g., 100 gwei).
The network prioritizes Eric's transaction, and he mints the NFT before Bob.
When Bob’s transaction is processed, it fails because the NFT is already minted.
Users lose NFTs they intended to mint
Implementing a Commit-Reveal Scheme might curb this.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.