Malicious User can frontrun loan/order cancellations
Summary
The acceptLoanOfferAndFillOrder function in the lending contract of this Polymarket fork introduces a vulnerability that allows malicious actors to frontrun order cancellations. This vulnerability arises from the introduction of a new execution path for orders that bypasses Polymarket's original bot-based signed order execution system.
In the original, Polymarket implementation, all the orders are executed by the offchain bot which matches orders. This completely mitigates risk of a user front running the cancellation of an order. But the lending contract in this protocol allows a malicious user to be able to front run cancellations in both the CTF Exchange and the loan contract itself.
Considering the team and developer comments that it is to be deployed on EVM compatible chains like polygon, it makes front running possible.
Internal pre-conditions
The Victim makes a call to cancel either their loan order or their exchange selling order.
External pre-conditions
None
Attack Path
Alice creates a sell order for their conditional tokens
Alice decides to cancel the order and submits a cancellation transaction (lets assume the value of sell tokens increased).
Bob (attacker) monitors the mempool and observes Alice's cancellation transaction.
Bob quickly crafts a transaction calling acceptLoanOfferAndFillOrder with Alice's original order data.
Bob submits this transaction with a higher gas price to ensure it's mined before Alice's cancellation.
Bob's transaction is processed first, executing Alice's order through the lending contract.
Alice's cancellation transaction is mined but has no effect as the order has already been filled.
Note: A similar attack path could be followed for a loan order.
Impact
Financial Loss: Users may lose assets they intended to keep, resulting in unintended financial transactions.
Market Manipulation: Sophisticated actors gain an unfair advantage, potentially leading to market inefficiencies and manipulation.
ZC002
High
Malicious User can frontrun loan/order cancellations
Summary
The acceptLoanOfferAndFillOrder function in the lending contract of this Polymarket fork introduces a vulnerability that allows malicious actors to frontrun order cancellations. This vulnerability arises from the introduction of a new execution path for orders that bypasses Polymarket's original bot-based signed order execution system.
Root Cause
The introduction of a new execution path (acceptLoanOfferAndFillOrder) that operates independently of Polymarket's existing order management and cancellation systems. This function allows a user to assume the role of the otherwise off chain bot. https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L214-L232
In the original, Polymarket implementation, all the orders are executed by the offchain bot which matches orders. This completely mitigates risk of a user front running the cancellation of an order. But the lending contract in this protocol allows a malicious user to be able to front run cancellations in both the CTF Exchange and the loan contract itself. Considering the team and developer comments that it is to be deployed on EVM compatible chains like polygon, it makes front running possible.
Internal pre-conditions
The Victim makes a call to cancel either their loan order or their exchange selling order.
External pre-conditions
None
Attack Path
Note: A similar attack path could be followed for a loan order.
Impact
Financial Loss: Users may lose assets they intended to keep, resulting in unintended financial transactions. Market Manipulation: Sophisticated actors gain an unfair advantage, potentially leading to market inefficiencies and manipulation.
PoC
No response
Mitigation
No response