Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Economic Exploitation via Front-Running Owner's Production Function

Author Revealed upon completion

Root + Impact

Description

  • Normal Behavior: The owner's produce() function is intended to increase the company's inventory and overall value, which should benefit all shareholders proportionally over time.

  • The Issue: A critical flaw exists where the value added to the company's valuation from production is immediately greater than the cost of that production. An attacker can monitor the blockchain for the owner's produce() transaction and front-run it by buying shares. This allows them to capture the instant, risk-free profit created by the owner's action, diluting the value for all other legitimate investors.

# Root cause in the codebase with @> marks to highlight the relevant section
# In the produce() function:
# The value added to inventory is greater than the production cost, creating instant profit.
@> self.inventory_value += item_value * quantity # Where item_value > self.production_cost
self.cash -= self.production_cost * quantity

Risk

Likelihood:

  • This vulnerability will occur whenever the owner calls any administrative function that instantly increases the company's net worth more than its cost.

  • An attacker can reliably execute this by monitoring the mempool for the owner's transactions and submitting their own investment with a higher gas fee.

Impact:

  • This flaw leads to the direct and systematic extraction of value from the company at the expense of other shareholders.

  • It breaks the economic fairness of the simulation and siphons value from the protocol, undermining its core purpose.

Proof of Concept

Explanation: The following test simulates the front-running attack. An attacker monitors for the owner's produce() transaction and invests right before it executes, unfairly capturing the value increase. The test confirms that the attacker's shares are worth more than their initial investment immediately after the owner's transaction is mined.

// Your full exploit test code from src/tests/Exploit.t.sol
function test_exploit_frontrun_production() public {
// 1. SETUP: Attacker starts with 0 shares.
uint256 initialAttackerShares = simulator.shares(attacker);
assertEq(initialAttackerShares, 0);
// 2. FRONT-RUN: The attacker sees the owner's pending transaction and invests 1 ETH.
vm.deal(attacker, 1 ether);
vm.prank(attacker);
simulator.invest{value: 1 ether}();
// 3. OWNER'S ACTION: The owner's production transaction is now mined.
vm.prank(owner);
simulator.produce(10); // Using the correct function name from the contract
// 4. VERIFICATION: The value of the attacker's shares is now greater than their initial 1 ETH investment.
uint256 finalShareValue = simulator.get_share_value() * simulator.shares(attacker);
assertGt(finalShareValue, 1 ether, "Attacker's share value did not increase post-production");
}

Reference File:

**Vulnerable Code: **https://github.com/CodeHawks-Contests/2025-10-company-simulator/blob/main/src/Cyfrin_Hub.vy#L128-L145

Proof of Concept: https://github.com/Sagarchhetri83/2025-10-company-simulator/blob/main/src/tests/Exploit.t.sol#L99-L130

Recommended Mitigation

Explanation: The fix makes the produce() function economically neutral at the moment of execution. By ensuring the value added to the company's inventory is exactly equal to the cash spent on production, it eliminates the front-running opportunity.

# In the produce() function of the Vyper contract
- # The original logic where value might be greater than cost
- self.inventory_value += item_value * quantity
- self.cash -= self.production_cost * quantity
+ # The corrected, economically neutral logic
+ total_cost: uint256 = self.production_cost * quantity
+ self.inventory_value += total_cost
+ self.cash -= total_cost

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.