The NFT tokenIDs for direct redeem/swap functions are sent in clear. So anyone can monitor the mempool and cause denial-of-service to any/specific direct redeem/swap request by front-running that transaction with one containing the same token ID(s). The motivation could be that those specific NFT IDs could be valued much more than the others over time.
The impact will be that the user trying to direct redeem/swap specific NFTs will not be able to get those NFTs and may have to buy them, presumably for a much higher price, from the attacker who front-ran that transaction.
Handle
0xRajeev
Vulnerability details
Impact
The NFT tokenIDs for direct redeem/swap functions are sent in clear. So anyone can monitor the mempool and cause denial-of-service to any/specific direct redeem/swap request by front-running that transaction with one containing the same token ID(s). The motivation could be that those specific NFT IDs could be valued much more than the others over time.
The impact will be that the user trying to direct redeem/swap specific NFTs will not be able to get those NFTs and may have to buy them, presumably for a much higher price, from the attacker who front-ran that transaction.
Proof of Concept
https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXVaultUpgradeable.sol#L233
https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXVaultUpgradeable.sol#L267-L272
Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider using a commit-reveal scheme for direct redeem/swap of NFTs.