hunter_w3b - `GladiusOrderQuoter::quote()` vulnerable to `frontrunning` attacks

[sherlock-admin2]

hunter_w3b

high

GladiusOrderQuoter::quote() vulnerable to frontrunning attacks

Summary

The GladiusOrderQuoter contract is vulnerable to frontrunning attacks due to its ability to pre-process orders off-chain.

Vulnerability Detail

The quote() method calls the reactor's executeWithCallback prematurely, providing order details to any observer before actual execution. This allows frontrunning where another party can submit their own order using the leaked information, such as submitting with a better price if it is a buy order.

    function quote(
        bytes memory order,
        bytes memory sig,
        uint256 quantity
    ) external returns (ResolvedOrder memory result) {
        try
            getReactor(order).executeWithCallback(
                SignedOrder(order, sig),
                quantity,
                bytes("")
            )
        {} catch (bytes memory reason) {
            result = parseRevertReason(reason);
        }
    }

Impact

It allows opportunistic traders to gain an advantage over the originators by reacting faster based on the leaked order details.

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/lens/GladiusOrderQuoter.sol#L26-L40 https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L65-L79

Tool used

Manual Review

Recommendation

The quote method should not actually call the reactor contract to pre-process orders. It should only validate the order structure without revealing details or pre-executing.

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

PNS commented:

M-1 OZ Audit; Fillers generally estimate gas before execution and use private mempools like flashbots or mevblocker.

0xAadi commented:

Invalid