Skip to content

Latest commit

 

History

History
54 lines (34 loc) · 1.51 KB

056.md

File metadata and controls

54 lines (34 loc) · 1.51 KB

Clean Hemp Barracuda

Medium

Front-Runnable maxFee Reduction

Summary

Users can reduce the maxFee of an existing order, creating a race condition where keepers may execute orders at lower fees than initially promised.

point is the placeOrder function. It allows updating an order with a lower maxFee, which might let users reduce fees after keepers have already committed gas. This creates a race condition where keepers might not get paid adequately, leading to potential losses.

Root Cause

Code Reference:

function _placeOrder(...) private {
    if (!old.isEmpty() && old.maxFee.gt(order.maxFee)) 
        revert ManagerCannotReduceMaxFee(); // ❌ Only prevents reducing maxFee, not front-running
}

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

Scenario:

  1. User Action: Alice places an order with maxFee = 10 DSU.
  2. Keeper Sees Order: Begins processing, expecting 10 DSU.
  3. User Front-Runs: Updates order to maxFee = 5 DSU.
  4. Result: Keeper receives 5 DSU but spent gas based on 10 DSU.

Impact

  • Keeper Losses: Keepers commit gas expecting a higher fee, but receive less after a user front-runs the transaction.
  • Protocol Trust: Users can exploit this to underpay keepers, damaging protocol credibility.

PoC

No response

Mitigation

  • Enforce a minimum fee increase threshold (e.g., newMaxFee ≥ oldMaxFee * 0.9).
  • Implement a time-delay for fee reductions.