OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Front-Running Vulnerability in `buyOrder` Function, leading to Potential Buyer Fund Loss

vincent71399

Description: when a buyer calls the buyOrder function,
it is possible for the order creator to front-run the transaction by editing the order to give less tokens.
This can lead to the buyer receiving fewer tokens than expected, resulting in a loss of funds.

Impact: Buyer may receive fewer tokens than intended, leading to financial loss.

Proof of Concept: add the following test to TestOrderBook.t.sol:

function test_FrontRunningAttack() public {

// alice creates sell order for wbtc

uint256 price = 200_000e6; // 200k USDC

uint256 amount = 2e8; // 2 WBTC

vm.startPrank(alice);

wbtc.approve(address(book), 2e8);

uint256 aliceId = book.createSellOrder(address(wbtc), amount, price, 2 days);

vm.stopPrank();

// alice tries to front-run her own order before dan buys it

vm.prank(alice);

book.amendSellOrder(aliceId, 1, price, 2 days);

vm.startPrank(dan);

usdc.approve(address(book), price);

book.buyOrder(aliceId);

vm.stopPrank();

assertEq(wbtc.balanceOf(dan), 1); // dan only get 1 WBTC

assertEq(wbtc.balanceOf(alice), amount - 1);

assertEq(usdc.balanceOf(alice), price * (book.PRECISION() - book.FEE()) / book.PRECISION());

}

Recommended Mitigation:
can add a parameter amount and price to the buyOrder function to ensure the order is not modified

- function buyOrder(uint256 _orderId) public {

+ function buyOrder(uint256 _orderId, uint256 amount, uint256 price) public {

Order storage order = orders[_orderId];

// Validation checks

if (order.seller == address(0)) revert OrderNotFound();

if (!order.isActive) revert OrderNotActive();

if (block.timestamp >= order.deadlineTimestamp) revert OrderExpired();

+ if (amount != order.amountToSell) revert InvalidAmount();

+ if (price != order.priceInUSDC) revert InvalidPrice();

...

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

Buy orders can be front-run and amended maliciously

A malicious seller can front-run a buy order for their order, and decrease the amount of assets to be sold. If the price is unchanged, the buy transaction fulfills, but the buyer gets lesser amount than expected.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.