search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Frontrunning Attack #63

Open hats-bug-reporter[bot] opened 10 months ago

hats-bug-reporter[bot] commented 10 months ago

Github username: @goheesheng Submission hash (on-chain): 0x65337743c99de2136c5d6af9edb4a008b7f80f9b2e097c88b7abada22e080eff Severity: high

Description: Description: Bots are able to monitor the mutator functions and able to front-run the admins if they call any of these functions and set it with malicious arguments.

Attack Scenario

1) Alice bots monitor these functions 2) Admin call any of these functions 3) Alice bots front-run the transaction with higher gas fees, manipulating the transactions.

    function setCvg(IERC20 _cvg) external onlyOwner {
        cvg = _cvg;
    }

    function setPresale(IPresaleCvgWl _newPresaleWl) external onlyOwner {
        presaleWl = _newPresaleWl;
    }

    function setPresaleSeed(IPresaleCvgSeed _newPresaleSeed) external onlyOwner {
        presaleSeed = _newPresaleSeed;
    }

    function setWhitelistTeam(address newWhitelistedTeam) external onlyOwner {
        whitelistedTeam = newWhitelistedTeam;
    }

    function setWhitelistDao(address newWhitelistedDao) external onlyOwner {
        whitelistedDao = newWhitelistedDao;
    }

https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/PresaleVesting/VestingCvg.sol#L115C1-L133C6

    function setCvgToken(IERC20Metadata _cvg) external onlyOwner {
        cvg = _cvg;
    }

https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/Oracles/CvgOracle.sol#L334C1-L336C6

Mitigations

Ensure that when setting this function do pause the contract before updating. Also include a modifer to these functions to check that paused() has been called. OR One common method is to use a commit-reveal scheme. In this scheme, users first submit a hashed version of their transaction (the "commit" phase). Once all transactions for a certain period have been submitted, users then reveal their actual transactions (the "reveal" phase). The transactions are then executed in the order they were originally submitted, preventing front-running.

0xR3vert commented 9 months ago

Hello, Thanks a lot for your attention. I'm afraid that i don't understand this issue... That's the first time i hear that is possible to frontrun an onlyOwner function, if it's possible that would be the end of a lot of protocols. In conclusion we have so to consider this issue as invalid.