Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Submission Details

Impact: high

Likelihood: high

Invalid

RustFund

abayanm1430

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

contract VanguardHook {

address public owner;

function setFeeParameters(

uint24 newInitialFee,

uint24 newPhase1Fee,

uint24 newPhase2Fee,

uint256 newPhase1Duration, // @> Can set to type(uint256).max

uint256 newPhase2Duration // @> Effectively freezes the pool

) external onlyOwner { // @> Single point of failure

initialFee = newInitialFee; // @> No maximum bounds

phase1Duration = newPhase1Duration;

}

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

// 1. Owner monitors mempool for large trades

function attackLargeTrade() external {

// 2. Sees $100K buy order from Alice

// 3. Front-runs by setting fees to 50%

vanguard.setFeeParameters(5000, 5000, 5000, 86400, 172800);

// 4. Alice's trade executes with 50% fee instead of expected 15%

// Owner pockets the 35% difference

// 5. Owner reverts fees after Alice's trade

vanguard.setFeeParameters(1500, 1000, 500, 86400, 172800);

}

Recommended Mitigation

contract VanguardHook {

address public owner;

+ uint256 public constant MAX_FEE = 2500; // 25% cap

+ uint256 public constant MAX_DURATION = 7 days;

+ uint256 public pendingChangeTime;

function setFeeParameters(...) external onlyOwner {

+ require(newInitialFee <= MAX_FEE, "Fee too high");

+ require(newPhase1Duration <= MAX_DURATION, "Duration too long");

- initialFee = newInitialFee; // Immediate application

+ scheduleChange(newInitialFee, newPhase1Duration); // 24-hour delay

}

+ function executeScheduledChange() external {

+ require(block.timestamp >= pendingChangeTime + 24 hours);

+ // Apply changes

+ }

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 10 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!