Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Price Front-Running in Pass Sales

0xadwa

Description

When the organizer wants to update the price of a pass (e.g., to increase it), they call configurePass. However, this is a public transaction and visible in the mempool before it is mined. An attacker can observe this and submit a buyPass transaction with the old price, attempting to have it mined before the organizer’s transaction.

require(msg.value == passPrice[collectionId], "Incorrect payment amount");

Attack Scenario

  1. Organizer submits a configurePass transaction to increase the price of a pass.

  2. Attacker sees this transaction in the mempool and submits a buyPass transaction with the old, lower price.

  3. If the attacker’s transaction is mined first, they buy passes at the old price.

  4. Organizer’s transaction is mined after, updating the price for future buyers.

Risk:

Medium: This is a common race condition in on-chain sales, but it can be exploited for financial gain and may undermine the intended pricing strategy.

Impact

Loss of Revenue: Attackers (or bots) can buy passes at the old price, potentially in large quantities, before the new price takes effect.

Unfair Advantage: Regular users may not have the same opportunity, leading to unfair distribution.

Recommended Mitigation

Announce price changes in advance and/or use a time delay for price updates.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.