OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Front-running attacks on order price amendments enabling MEV extraction

anchabadze

Description:

The OrderBook contract is vulnerable to front-running attacks when sellers attempt to increase their order prices through the amendSellOrder() function. The vulnerability stems from the lack of atomic price updates and the public visibility of pending transactions in the mempool. When a seller submits a transaction to increase their order price (e.g., due to favorable market conditions), MEV bots can observe this transaction and immediately purchase the order at the old, lower price before the amendment is processed.

The attack exploits the time gap between transaction submission and execution, allowing malicious actors to extract value from sellers who are trying to adjust their prices to current market conditions.

Attack path:

Order creation: Seller creates an order selling 1 WETH for 3,000 USDC
Market movement: WETH price increases to $3,500 on external markets
Amendment attempt: Seller submits amendSellOrder(orderId, 1e18, 3500e6, 2 days) with 30 gwei gas
MEV detection: Bot monitors mempool and detects the price increase transaction
Front-running: Bot submits buyOrder(orderId) with higher gas price (100 gwei)
Block execution: Bot's transaction executes first, purchasing WETH at old price (3,000 USDC)
Amendment failure: Seller's amendment transaction reverts with "OrderNotActive" error
Profit extraction: Bot sells WETH at market price (3,500 USDC) for 500 USDC profit

Impact:

Sellers lose potential profits when trying to adjust prices to market conditions (in the example, $500 loss per 1 WETH)

Bots capture value intended for legitimate sellers without providing any service

Users become reluctant to create orders knowing they cannot effectively adjust prices

The vulnerability is particularly severe during high volatility periods when price adjustments are most needed, potentially causing significant financial losses for users.

Recommended Mitigation:

Implement a system requiring the seller to confirm they genuinely want to sell at the specified price after a buyer expresses interest

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Amends or cancellation of sell orders can be front-run

When a seller wants to amend or cancel their sell orders, a malicious entity can front-run their transactions and buy out the orders. This can be especially harmful when real-world prices of listed assets fluctuate and sellers want to adjust the prices listed in their orders.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.