OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Front-running: Order Amendment Before Buy

perun84

Root + Impact

Description

Normal behavior: The seller can amend their order (change amount, price, or deadline) at any time before it is filled or canceled. The buyer can call buyOrder to purchase the order at its current terms.
Issue: If a buyer submits a buyOrder transaction, the seller can see this pending transaction in the mempool and quickly submit an amendSellOrder transaction with less favorable terms (e.g., higher price or lower amount). If the seller’s amendment is mined before the buyer’s purchase, the buyer will unintentionally buy at the new, worse terms.

function amendSellOrder(...) public {

// @> Seller can change price, amount, or deadline at any time before order is filled

order.amountToSell = _newAmountToSell;

order.priceInUSDC = _newPriceInUSDC;

order.deadlineTimestamp = newDeadlineTimestamp;

// @> No mechanism to lock order terms once a buy is pending

}

function buyOrder(uint256 _orderId) public {

// @> Buyer purchases at whatever terms are present at execution time, not at submission time

uint256 protocolFee = (order.priceInUSDC * FEE) / PRECISION;

uint256 sellerReceives = order.priceInUSDC - protocolFee;

// ...

}

Risk

Likelihood:

This will occur when a buyer submits a buyOrder and the seller is monitoring the mempool, especially for high-value or illiquid orders.
More likely in adversarial environments or with sophisticated sellers/bots.

Impact:

Buyers may receive less tokens or pay more USDC than expected.
Loss of trust in the protocol and potential financial loss for buyers.

Proof of Concept

Buyer submits buyOrder and got less tokens than expected due to front run amend.

// 1. Buyer submits buyOrder(orderId) for an order with price = 100 USDC, amount = 1 token

// 2. Seller sees the pending buyOrder in the mempool

// 3. Seller quickly submits amendSellOrder(orderId, 1 token, 200 USDC, ...) to double the price

// 4. amendSellOrder is mined before buyOrder

// 5. Buyer ends up paying 200 USDC instead of 100 USDC for the same order

Recommended Mitigation

Lock order during the amend. On-going bought can't happen or must happen with old price and amount.

- // No mechanism to lock order terms once a buy is pending

+ // Consider implementing a commit-reveal or order versioning mechanism:

+ // - Store a hash of order terms when buyOrder is submitted

+ // - Require buyOrder to specify expected price/amount and revert if changed

+ // Example:

+ function buyOrder(uint256 _orderId, uint256 expectedPrice, uint256 expectedAmount) public {

+ require(order.priceInUSDC == expectedPrice, "Order price changed");

+ require(order.amountToSell == expectedAmount, "Order amount changed");

+ // ...proceed with buy

+ }

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

Buy orders can be front-run and amended maliciously

A malicious seller can front-run a buy order for their order, and decrease the amount of assets to be sold. If the price is unchanged, the buy transaction fulfills, but the buyer gets lesser amount than expected.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.