search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

feelereth - The use of a global latestNonce variable to generate order IDs is vulnerable to front-running attacks. #102

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

feelereth

high

The use of a global latestNonce variable to generate order IDs is vulnerable to front-running attacks.

Summary

Vulnerability Detail

This Link allows a malicious contract to observe new order transactions, increment latestNonce themselves first, and assign that nonce to their own fake order. When the legitimate user tries to place their real order, it will get a nonce that is already taken by the attacker's fake order. This could prevent the real order from being placed or make it unexecutable later.

Impact

Attacker can steal nonces or interfere with legitimate orders, as nonces are namespaced per account

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L408-L415 https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L413

Tool used

Manual Review

Recommendation

nonces should be tracked per account, not globally

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

x

panprog commented:

invalid because of no impact, nonce is only used to store the order and nothing else