NO deadline on transactions

hats-finance / Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be

Palmera hierarchical module

0 stars 1 forks source link

NO deadline on transactions #48

Open hats-bug-reporter[bot] opened 1 week ago

hats-bug-reporter[bot] commented 1 week ago

Github username: @shealtielanz Twitter username: shealtielanz Submission hash (on-chain): 0x422d3d050e309f2080b08e86287aa60cbe3e53228c77e840087727ed2edf97f0 Severity: medium

Description: Description

There is no deadline on transactions allowing users' transactions to be prone to MEV and executed during unfavourable times and conditions. During encoding and execution of transactions deadline isn't checked and required allowing for transactions to be held in the mem-pool and executed mostly likely in times unfavorable to the users

Attack Scenario

A transaction is created and executed without any deadline.
Miners can extract value from this via withholding such transactions and executing them in situations where the miner would gain, and since there is no deadline on the Transaction It can be executed anytime in the future.

Mitigation

Add a deadline and check during the execution of transactions.

0xRizwan commented 1 week ago

executing them in situations where the miner would gain

I dont see any gains can be extracted by holding transactions in both functions, can understand the deadline checks in case of swaps, etc. How the miner benefit by holding transactions in both cases?

shealtielanz commented 1 week ago

The main purpose of the protocol is to streamline user operations safely across multiple chains, those operations can be of different purposes it is clear in the space the need of deadlines in every transaction and here it wasn’t implemented. The issue can escalate to different issues depending on the operation to be executed.

0xRizwan commented 1 week ago

Ser, Myself and @0xmahdirostami Would be lead auditor for this contest. I think, you didnt check the discord message. Final decision on issues validation will be by sponsors.

Update- Seems you edited the comment, anyways this for your information.

shealtielanz commented 1 week ago

I’m really sorry about the misunderstanding, I thought you were not in authority to question my finding. I am truly sorry for the disrespectful comment sir. Please accept my apology

0xRizwan commented 1 week ago

No problem, ser

alfredolopez80 commented 1 week ago

executing them in situations where the miner would gain

I dont see any gains can be extracted by holding transactions in both functions, can understand the deadline checks in case of swaps, etc. How the miner benefit by holding transactions in both cases?

i agree with you @0xRizwan i don't see any benefit by holding transactions in both cases?

shealtielanz commented 6 days ago

It’s not mainly about the benefit here for the miner but the disadvantage for the user where transactions don’t have a deadline.

suppose user submits a TX during a time where the block is congested, a miner can withhold the TX to be executed in next/future blocks, now given the user intended the TX to be executed in that exact block and not any other, the TX can be withheld to any block in the future given the nonce has not be used up, the TX will execute in any future block and this is what the user doesn’t want.