search

sherlock-audit / 2024-09-predict-fun-judging

5 stars 4 forks source link

dany.armstrong90 - `PredictDotLoan.acceptLoanOfferAndFillOrder()` function is vulnerable for the front-run attack. #241

Open sherlock-admin3 opened 1 month ago

sherlock-admin3 commented 1 month ago

dany.armstrong90

Medium

PredictDotLoan.acceptLoanOfferAndFillOrder() function is vulnerable for the front-run attack.

Summary

PredictDotLoan.acceptLoanOfferAndFillOrder() function doesn't check any authority for the caller. Therefore caller can front-run the matcher's tx to steal the incentives for the matcher.

Root Cause

The acceptLoanOfferAndFillOrder() is the following.

    function acceptLoanOfferAndFillOrder(
        Order calldata exchangeOrder,
        Proposal calldata proposal
    ) external nonReentrant whenNotPaused {
        _assertProposalIsLoanOffer(proposal);

        --- SKIP ---

            _transferExcessCollateralIfAny(
                positionId,
@>              msg.sender,
                collateralAmountRequired,
                collateralTokenBalanceIncrease
            );

        --- SKIP ---
    }

As can be seen, the above function doesn't check authority for the caller and transfers excess collateral to the caller if any. At the same time, the caller doesn't consume any funds of his/her own.

Internal pre-conditions

No response

External pre-conditions

  1. There should be excess collateral when matcher calls acceptLoanOfferAndFillOrder() function. This condition will be hold true in general because if there is no excess collateral, it is most likely for no one to call acceptLoanOfferAndFillOrder().

Attack Path

  1. A matcher calls acceptLoanOfferAndFillOrder() function to receive excess collaterals.
  2. Attacker front-run the matcher's tx with the same exchangeOrder and proposal parameter.

Impact

Attacker can steal the funds of the matcher by front-run. As per readme, the protocol will be potentially deployed on "any EVM chains with a prediction market that uses Polymarket’s CTF exchange and neg risk protocol" ex: Ethereum, where the front-run is available.

PoC

No response

Mitigation

There are two available mitigations.

  1. Add authority check to the function.
  2. User commit-reveal scheme for the function.