Auction.buy() is vulnerable to frontrunning attacks causing users to pay more than intended
Summary
The Auction contract's buy function lacks slippage protection, making it vulnerable to frontrunning attacks where users could be forced to pay higher prices than intended due to price fluctuations between transaction submission and execution.
Vulnerability Details
The price calculation in the Auction contract is time-dependent, making it predictable and manipulatable. Without slippage protection, users have no way to specify their maximum acceptable price.
Attack flow:
User submits transaction to buy ZENO at current price (e.g., 100 USDC)
Attacker identifies pending transaction in mempool
Attacker waits for time-based price increase
Original transaction executes at higher price than user intended
Impact
Financial loss for users who pay more than intended
Poor user experience and loss of trust in the protocol
Potential for market manipulation by sophisticated actors
Severity: Medium
Likelihood: High
Recommendations
-
Immediate fixes:
function buy(uint256 amount, uint256 maxPrice) external whenActive {uint256 price = getPrice();require(price <= maxPrice, "Price exceeds maximum");// ... continue with purchase ...} -
Additional improvements:
Implement minimum time windows between price updates
Add price oracles for more reliable pricing
Implement commit-reveal schemes for critical operations
Add explicit documentation about slippage protection usage
Include events for monitoring failed transactions due to price protection
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.