The buyOrder(uint256 _orderId)
function is publicly accessible and does not include any mechanism to prevent front-running. This allows a malicious actor (e.g., MEV bot) to monitor the mempool and submit a competing transaction with a higher gas fee to buy a desirable order before a legitimate user. Since the contract marks the order as inactive immediately after purchase, the legitimate user's transaction will fail.
Likelihood:
Public mempool: Anyone can see pending transactions and replicate them.
High-value targets: Valuable orders incentivize bots to snipe.
Gas priority: Attackers can easily outbid legitimate users with higher gas.
No access restrictions: No checks on who can buy, when, or under what conditions.
Impact:
This creates a high risk of opportunistic MEV attacks, where bots snipe high-value orders ahead of real users, leading to:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
View preliminary resultsAppeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.