maxGasPrice can potentially be bypassed by bribing the miner

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/TradingExtension.sol#L122-L124

Vulnerability details

Impact

The maximum gas price mechanism intended to "randomize" which bot gets an order execution and thus prevent gas wars from happening (Docs) can be bypassed on networks that enable bribing of miners, e.g. Ethereum via Flashbots. The implication would be that more tech savy bot operators can get all of the orders execution rewards and drive out those operators that just use the stock software that sends transactions below or at the maxGasPrice set in the smart contract, as they will constantly be at a loss due to having no chance of hitting a successful transaction while still having to pay for the unsuccessful attempts.

Proof of Concept

The TradingExtension contract contains the following function to revert if the gasprice set in the transaction is too high (reason explained under Impact):

function _checkGas() public view {
    if (tx.gasprice > maxGasPrice) revert("1"); //GasTooHigh
}

The Flashbots-Network allows sending bundles of transactions to miners that will be prioritized according to how much profit the corresponding miner will end up with after the execution of all transactions in the bundle. The basic idea to bypass the tx.gasprice check is that the order execution transaction in the bundle contains a low gasprice (can be arbitrarily low, as long as it is higher than the block base fee, if the network has such), while a second transaction pays the validator directly by using a coinbase.transfer (more on that here).

Tools Used

Manual Review

Recommended Mitigation Steps

There is no easy mitigation to this problem. An approach would be to queue up all order execution calls of one block and randomly selecting one of them in the next block by calling a specific function.

[GalloDaSballo]

Will need some time to elaborate, but I believe this finding to have some validity, but also to be incorrect.

I will need to gather some resources, but ultimately Flashbot bundle assigns a weight to cost per gas unit, meaning if you cap the max price, you actually are creating a need for further gas efficiency.

If you assume that all callers are already optimized (fairly acceptable), then the competition will be based on using maxGas with the same actual gas used (because the contract from Tigris will be the same)

At that point the only tx that will go through will be the first, which may be:

• Randomly chosen (all other have the same properties)
• Chosen based on mempool / biz deals

[TriHaz]

I don't think this is an issue, bot network is open, and executing orders before anyone else actually benefits the protocol. Also bribing will be available to everyone, so eventually it will also balance out.

[c4-sponsor]

TriHaz marked the issue as sponsor disputed

[GalloDaSballo]

Because of the interesting convo, am downgrading to QA - Informational

NC

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)

[GalloDaSballo]

I don't believe the sponsor has to do anything in terms of mitigation but I think the observation is worth flagging

[c4-judge]

GalloDaSballo marked the issue as grade-c