Picodes
commented
1 year ago Front running is a risk with all DEXes and all transactions. It could be mitigated using private RPCs like flashbot. The mitigation does not prevent Alice from paying gas ?
Closed code423n4 closed 1 year ago
Picodes
commented
1 year ago Front running is a risk with all DEXes and all transactions. It could be mitigated using private RPCs like flashbot. The mitigation does not prevent Alice from paying gas ?
c4-judge
commented
1 year ago 
c4-sponsor
commented
1 year ago 0xhiroshi marked the issue as sponsor disputed
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/ERC20EnabledLooksRareAggregator.sol#L32 https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L56
Vulnerability details
Description
Suppose Alice signs a bunch of orders and calls
executefunction onERC20EnabledLooksRareAggregator/LooksRareAggregatorwithisAtomic == true. Bob monitors the mempool and sees the Alice transaction. Then he takes one of the orders and executes it on his own before the Alices transaction. As a result, Alice's transaction failed and she paid for its gas.Please note, that the atomicity would not be violated if one of the already executed orders failed (because it is anyway executed).
Impact
executeis vulnerable to the griefing attack.Recommended Mitigation Steps
If the order execution fails, check that the order has not already been filled.