Frontrunning Vulnerability in placeBid Function
Summary
The NFTLiquidator contract’s placeBid function is vulnerable to frontrunning due to Ethereum’s transparent mempool. An attacker can monitor pending bids, submit a higher bid with a higher gas price, and displace the original bidder before their transaction is confirmed.
Vulnerability Details
The placeBid function in the NFTLiquidator contract allows anyone to submit a bid for an NFT auction. However, because Ethereum transactions are visible in the public mempool before they are confirmed, an attacker can exploit this by frontrunning legitimate bids. Here’s how it happens:
A user submits a bid (e.g., 1 ETH) to the contract.
An attacker watches the mempool, sees the pending bid, and quickly submits a higher bid (e.g., 1.01 ETH) with a higher gas price.
The attacker’s transaction gets processed first, making them the highest bidder.
When the original user’s transaction is mined, it fails because their bid no longer meets the new minimum requirement (e.g., 1.01 ETH + 10% = 1.111 ETH).
Impact
The attacker must pay more than the original bid (e.g., 1.01 ETH instead of 1 ETH) plus additional gas fees to succeed
Recommendations
Suggest users submit bids through services like Flashbots, which send transactions directly to miners privately, avoiding the public mempool.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.