The use of a global latestNonce variable to generate order IDs is vulnerable to front-running attacks.
Summary
Vulnerability Detail
This Link allows a malicious contract to observe new order transactions, increment latestNonce themselves first, and assign that nonce to their own fake order.
When the legitimate user tries to place their real order, it will get a nonce that is already taken by the attacker's fake order. This could prevent the real order from being placed or make it unexecutable later.
Impact
Attacker can steal nonces or interfere with legitimate orders, as nonces are namespaced per account
feelereth
high
The use of a global latestNonce variable to generate order IDs is vulnerable to front-running attacks.
Summary
Vulnerability Detail
This Link allows a malicious contract to observe new order transactions, increment latestNonce themselves first, and assign that nonce to their own fake order. When the legitimate user tries to place their real order, it will get a nonce that is already taken by the attacker's fake order. This could prevent the real order from being placed or make it unexecutable later.
Impact
Attacker can steal nonces or interfere with legitimate orders, as nonces are namespaced per account
Code Snippet
https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L408-L415 https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L413
Tool used
Manual Review
Recommendation
nonces should be tracked per account, not globally