Vanguard

First Flight #56

Beginner FriendlyDeFiFoundry

0 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Cooldown Violation Bypasses Limit Check

Author Revealed upon completion

Description

The hook should enforce both cooldown AND swap limit protections independently.

The limit check has !applyPenalty condition (line 167), so if cooldown violation sets applyPenalty = true, the limit check is skipped entirely. Users can exceed limits by intentionally violating cooldown.

bool applyPenalty = false;

// Check cooldown

if (addressLastSwapBlock[sender] > 0) {

uint256 blocksSinceLastSwap = block.number - addressLastSwapBlock[sender];

if (blocksSinceLastSwap < phaseCooldown) {

applyPenalty = true; // @> Sets penalty flag

}

// Check limit

if (!applyPenalty && addressSwappedAmount[sender] + swapAmount > maxSwapAmount) {

applyPenalty = true; // @> SKIPPED if cooldown already violated!

}

addressSwappedAmount[sender] += swapAmount; // @> Always tracked regardless

Risk

Likelihood:

Any user can intentionally trigger this by swapping before cooldown expires
Especially profitable for bots during token launches
Attack costs only the penalty fee
Impact:
Users can bypass swap limits by violating cooldown and paying penalty
Bots can dump 5x their limit by paying 10% penalty fee
For bots front-running price crashes, 10% penalty is acceptable cost
Completely defeats anti-bot limit mechanism

Proof of Concept

Run: forge test --mt test_CooldownBypassesLimitCheck -vv

Test shows bot swaps twice, violating cooldown on second swap, and exceeds limit because limit check was skipped.

Recommended Mitigation

Check both independently:

bool applyPenalty = false;

+ bool exceededLimit = false;

if (addressLastSwapBlock[sender] > 0) {

if (blocksSinceLastSwap < phaseCooldown) {

applyPenalty = true;

}

- if (!applyPenalty && addressSwappedAmount[sender] + swapAmount > maxSwapAmount) {

+ if (addressSwappedAmount[sender] + swapAmount > maxSwapAmount) {

+ exceededLimit = true;

applyPenalty = true;

}

+ if (exceededLimit) {

+ revert SwapLimitExceeded();

+ }

Rewards breakdown

nSLOC

273

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!