Closed sherlock-admin2 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid, front-running is not an an issue on Base given they operate with a private sequencer as seen in comments of #49. Additionally, execution of orders are permisionless via keepers (anybody can be a keeper), so they are expected to compete to earn keeper fees.
cheatcode
medium
Front-Running Occurs in executeOrder function
Summary
In the
executeOrder
function, the executor of the order is determined bymsg.sender
, which is the address that calls the function.Vulnerability Detail
The
executeOrder
function does not appear to have mechanisms in place to prevent front-running. Since it relies onmsg.sender
to determine who is executing the order, anyone who can see the transaction before it is mined has the opportunity to front-run it.Impact
Poc:
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L378
Tool used
Manual Review
Recommendation
Use Commit-Reveal Schemes or submarine sends