search

tokamak-network / tokamak-bridge

An interface designed to bridge assets between Titan and Ethereum chains.
https://app.bridge.tokamak.network
6 stars 0 forks source link

[Cross Trade - Contract Bugs]: There is a vulnerability in the provideCT method that allows front-running #188

Closed blackcow1987 closed 4 weeks ago

blackcow1987 commented 1 month ago

What happened?

A malicious user can force the victim to pay more tokens than expected by frontrunning the editFee method when the victim calls the provideCT method.

=> https://github.com/tokamak-network/tokamak-bridge/blob/public-test/crosstrade/contracts/L1/L1CrossTrade.sol#L100

Relevant log output

No response

zzooppii commented 1 month ago

Thank you @blackcow1987 I will change it so that I also receive the edit amount when providingCT.

zzooppii commented 4 weeks ago

@blackcow1987 https://github.com/tokamak-network/crossTrade/commit/c28bb0ac5078d921e021ded84132a5205f487e49

I have revised what you said.

If you have any additional comments, please let me know.

blackcow1987 commented 4 weeks ago

I will review the changes !