Root + Impact
Description
The OrderBook contract allows sellers to modify existing orders through the amendSellOrder() function without any temporal restrictions or anti-MEV protections. The normal behavior should provide fair trading conditions where buyers can execute orders at the advertised price without interference. However, malicious sellers can monitor the mempool for incoming buyOrder() transactions and front-run them by quickly amending their orders to increase prices, decrease amounts, or modify deadlines, effectively extracting additional value from unsuspecting buyers.
Risk
Likelihood:
MEV bots and sophisticated traders actively monitor mempool activity for profitable opportunities in DeFi protocols
The amendment function has no cooldown period, allowing immediate modifications when profitable buy orders are detected
Gas price manipulation allows attackers to ensure their amendment transactions are prioritized over buyer transactions
Impact:
Buyers pay significantly more than the originally advertised price due to last-minute price increases
Transaction failures waste gas costs for legitimate buyers attempting to purchase at fair market prices
Systematic erosion of user trust in the platform's fairness and reliability
Creation of MEV opportunities that favor sophisticated actors over retail users
Risk
Likelihood:
Impact:
Proof of Concept
contract FrontRunningAttack {
OrderBook orderBook;
function demonstrateAttack() external {
uint256 orderId = orderBook.createSellOrder(
address(weth),
1 ether,
2000e6,
1 days
);
orderBook.amendSellOrder(
orderId,
1 ether,
2500e6,
1 days
);
}
}
Recommended Mitigation
Implement a cooldown period for order amendments to prevent immediate modifications:
soliditymapping(uint256 => uint256) public lastAmendmentTime;
uint256 public constant AMENDMENT_COOLDOWN = 300; // 5 minutes
function amendSellOrder(
uint256 _orderId,
uint256 _newAmountToSell,
uint256 _newPriceInUSDC,
uint256 _newDeadlineDuration
) public {
require(
block.timestamp >= lastAmendmentTime[_orderId] + AMENDMENT_COOLDOWN,
"Amendment cooldown period not met"
);
// ... existing validation logic ...
lastAmendmentTime[_orderId] = block.timestamp;
// ... rest of function implementation ...
}