OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Frontrunning of the buy order

xgrybto

Description

The buyOrder() function is vulnerable to a frontrun attack because it has no mecanism to protect the user against it
An attacker could either :
- buy the order before the user (no big deal)
- amend his own order before the buying of the user (critical)
If the user has approved more USDC than the desired amount for the current order, the attacker could benefit from it and amend the order by either increase the USDC amount desired, and/or decrease the token amount (weth, wbtc, wsol) he gives in exchange.

Risk

Likelihood:

if an attacker frontun a purchase from a user on his order → always possible

Impact:

The loss of the user’s fund

Proof of Concept

function test_frontRunningOrder() public {

address attacker = makeAddr("will_frontrun_order");

weth.mint(attacker, 2);

vm.startPrank(attacker);

weth.approve(address(book), 2e18);

uint256 attackerId = book.createSellOrder(

address(weth),

2e18,

5_000e6,

2 days

);

vm.stopPrank();

// dan wants to buy the order of the attacker

vm.prank(dan);

usdc.approve(address(book), 6_000e6);

// The attacker see that dan wants to buy his order, so he frontrun his transaction

vm.prank(attacker);

book.amendSellOrder(attackerId, 1e18, 6_000e6, 2 days);

assert(usdc.balanceOf(attacker) == 0);

// dan buys the order

vm.prank(dan);

book.buyOrder(attackerId);

assert(usdc.balanceOf(attacker) > 5_000e6);

assert(weth.balanceOf(dan) == 1e18);

}

Recommended Mitigation

The best solution is to implement a commit & reveal system, that allows the user to first announces that he want to buy the order, in a private way (nobody can see which order he wants to buy), and then buys the order. An attacker won’t be able to frontrun the second call since we will be able to verify that the order is in buying state.
Another solution is to give the user the ability to pass into the buyOrder function the amount he is willing to pay and to receive. It’s easier to implement, but not very secure since we let the responsability to the user to manage the security of the transaction.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Buy orders can be front-run and amended maliciously

A malicious seller can front-run a buy order for their order, and decrease the amount of assets to be sold. If the price is unchanged, the buy transaction fulfills, but the buyer gets lesser amount than expected.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.