Open hats-bug-reporter[bot] opened 1 month ago
Then, this "victim" has spent less gas than the "attacker" into redeeming his own winning shares, so where's the loss?
_redeemPositions
will fully redeem the shares of the passed outcomeIndexes
, you cannot redeem partially
This could deplete the available collateral or market positions, leaving the original user with fewer or no tokens to redeem.
This is the point of the report which is incorrect, positions are always fully collateralized.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x45f04ce44a8b5cb2c8ca9ce8d7d50680cbd2f5221a66b3467e577fd9133630ff Severity: high
Description: Description\ The
redeemPositions
function allows users to redeem positions and withdraw collateral tokens. Without proper front-running protection, an attacker could monitor the mempool and attempt to front-run legitimate users by executing redemptions just before their transaction is confirmed. This could result in an attacker redeeming the same market positions, potentially draining funds or reducing the claimable amount for the honest user.Attack Scenario\ In a high-value market, suppose a user initiates a transaction to redeem their positions. Before their transaction is confirmed, an attacker could observe this in the mempool and quickly submit their own redemption transaction with higher gas fees. The attacker’s transaction could be prioritized and processed first, allowing them to redeem positions for the same outcomes. This could deplete the available collateral or market positions, leaving the original user with fewer or no tokens to redeem.
Attachments
Proof of Concept (PoC) File\
Revised Code File (Optional)\
Use time delays or commit-reveal schemes to prevent front-running attacks, especially in high-value markets.