Glorious Heather Panther
Medium
The removeMarketConfig function, restricted to trusted admins, allows removing a market configuration by swapping the target index with the last index in the marketConfigs array and then popping the last element. However, when _createMarket is called simultaneously or shortly after a configuration removal, a race condition may occur. This could result in the _createMarket function using an unintended configuration due to index swapping. In ReputationMarket.sol::388
https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L388
No response
No response
No response
No response
The _createMarket function might create a market using an unintended configuration, leading to use of unintended parameters. If users assume their specified marketConfigIndex will remain unchanged, they might inadvertently fund or interact with markets based on incorrect or unintended configurations.
The marketConfigs array contains the following configurations:
marketConfigs = [ { creationCost: 100, basePrice: 50, liquidity: 10 }, // Config 0 { creationCost: 200, basePrice: 100, liquidity: 20 }, // Config 1 { creationCost: 300, basePrice: 150, liquidity: 30 } // Config 2 ];
User A submits a transaction to create a market using marketConfigIndex = 1 (the configuration with creationCost: 200).
Before User A's transaction is mined, the admin calls removeMarketConfig(1) to remove the configuration at index 1. This now gives the array as : marketConfigs = [ { creationCost: 100, basePrice: 50, liquidity: 10 }, // Config 0 { creationCost: 300, basePrice: 150, liquidity: 30 } // Config 1 (was Config 2) ];
by the time user A's call goes through: his traget marketConfigIndex of 1 now points to and gets executed with the unintended details
Introduce a grace period by marking configurations as pending removal before fully deleting them, ensuring no active or pending transactions rely on the affected index. No response