A malicious party could observe the mempool and frontrun createNewShare transactions, causing them to revert. This effectively blocks the user from registering new shares in the app.
While this issue wouldn't be a problem initially as creators are whitelisted, this could be problematic as the app opens to the public.
Proof of Concept
Alice monitors the mempool for any createNewShare tx.
Alice frontruns these transactions with the same parameters, thus reverting the original transactions while securing the share name for herself.
This blocks other users from creating their shares.
Recommended Mitigation Steps
Reconsider the necessity of unique shareName values. If on-chain uniqueness is important, implement strategies to counteract frontrunning, such as imposing a small fee or employing a commit-reveal process during share creation.
Lines of code
https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L120
Vulnerability details
Impact
The current implementation may prevent users from creating new shares, leading to frustration and potentially harming the app's reputation.
Vulnerability Details
When creating new share via
Market.createNewShare
, there is a check to ensure that theshareName
is unique: Market.sol#L120A malicious party could observe the mempool and frontrun
createNewShare
transactions, causing them to revert. This effectively blocks the user from registering new shares in the app.While this issue wouldn't be a problem initially as creators are whitelisted, this could be problematic as the app opens to the public.
Proof of Concept
createNewShare
tx.Recommended Mitigation Steps
Reconsider the necessity of unique
shareName
values. If on-chain uniqueness is important, implement strategies to counteract frontrunning, such as imposing a small fee or employing a commit-reveal process during share creation.Assessed type
DoS