Open hats-bug-reporter[bot] opened 10 months ago
Hello, Thanks a lot for your attention. I'm afraid that i don't understand this issue... That's the first time i hear that is possible to frontrun an onlyOwner function, if it's possible that would be the end of a lot of protocols. In conclusion we have so to consider this issue as invalid.
Github username: @goheesheng Submission hash (on-chain): 0x65337743c99de2136c5d6af9edb4a008b7f80f9b2e097c88b7abada22e080eff Severity: high
Description: Description: Bots are able to monitor the mutator functions and able to front-run the admins if they call any of these functions and set it with malicious arguments.
Attack Scenario
1) Alice bots monitor these functions 2) Admin call any of these functions 3) Alice bots front-run the transaction with higher gas fees, manipulating the transactions.
https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/PresaleVesting/VestingCvg.sol#L115C1-L133C6
https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/Oracles/CvgOracle.sol#L334C1-L336C6
Mitigations
Ensure that when setting this function do pause the contract before updating. Also include a modifer to these functions to check that paused() has been called. OR One common method is to use a commit-reveal scheme. In this scheme, users first submit a hashed version of their transaction (the "commit" phase). Once all transactions for a certain period have been submitted, users then reveal their actual transactions (the "reveal" phase). The transactions are then executed in the order they were originally submitted, preventing front-running.