Custom Pineapple Newt
Medium
Issue #125's fix from the previous Sherlock audit still allows market owners to front-run users and increase fees.
In TellerV2.sol, users submitting a bid can still be front-ran by the market owner, increasing the fee and forcing them to pay a higher fee amount.
None
None
- User submits bid
- Market owner front-runs the user's tx with call to
setMarketFeePercent - User gets charged higher fee
The issue is that the fix from the previous audit simply limited the market owners to a max fee percentage of 10%. This still allows the front-running issue to happen. For example the market fee is 1%, but the owner front runs the user's call to submit bid and increases it to 10%, the user now pays 10x more in fees.
Thus, the "fix" of the previous issue doesn't remedy users from still experiencing the loss due to a fee increase, it's just now limited to 10x instead of 100x.
No response
An option would be a timelock. When a market owner increases/decreases the fee, don't apply the changes until 24h later or something similar.