Front-runner attack possible

[pertsev]

Accordingly with logShiftAndBookAward function, there is deterministic way to get all "phase change awards" by attacker.

Attack scenario for non-miner participant:

The attacker can monitor all pending transactions to CtdToken contract and send transaction with appropriate gasPrice at desirable moment.

Examples:

First Pre-ICO token: After ICO started (as I suppose - 12.10.2017 at 13:58 PM), attacker just raise gasPrice above average and miner put his transaction at top of block. So first transaction got award (0.1 ETH). From Pre-ICO A to Pre-ICO B: When it is close to finish of Pre-ICO, attacker send two transactions: First one - transaction to close Pre-ICO_A with maximum gasPrice (0.1 ETH here) Second - transaction to start new Phase (Pre-ICO_B) with slightly less gasPrice (but more than default or average). (0.2 ETH here) Last challenge - closing Pre-ICO_B: same way - just wait a moment and send transaction with maximum gasPrice. (0.5 ETH)

Attack scenario for miner:

The miner can reorder transactions at block at any appropriate way. There is no mitigation of it (but it's not so probable).

Possible mitigations

You can control gasPrice by smartcontract with tx.gasprice api.

Exploit

For example, exploit can use rpc api of geth node to get all pending transactions, then filter them by receiver (CtdToken contract addr) and etc... Say me, if you need more clarifying.

[vkonst]

Not an issue

A competition between users for the award(s) is an expected behavior that ensures switching of the ICO phases . Any transaction is a subject for the attack in question. In in our case it does not create any special risk.

However, thank you for the point you made.