Clean Hemp Barracuda - Front-Runnable maxFee Reduction

[sherlock-admin2]

Clean Hemp Barracuda

Medium

Front-Runnable maxFee Reduction

Summary

Users can reduce the maxFee of an existing order, creating a race condition where keepers may execute orders at lower fees than initially promised.

point is the placeOrder function. It allows updating an order with a lower maxFee, which might let users reduce fees after keepers have already committed gas. This creates a race
condition where keepers might not get paid adequately, leading to potential
losses.

Root Cause

Code Reference:

function _placeOrder(...) private {
    if (!old.isEmpty() && old.maxFee.gt(order.maxFee)) 
        revert ManagerCannotReduceMaxFee(); // ❌ Only prevents reducing maxFee, not front-running
}

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

Scenario:

1. User Action: Alice places an order with maxFee = 10 DSU.
2. Keeper Sees Order: Begins processing, expecting 10 DSU.
3. User Front-Runs: Updates order to maxFee = 5 DSU.
4. Result: Keeper receives 5 DSU but spent gas based on 10 DSU.

Impact

• Keeper Losses: Keepers commit gas expecting a higher fee, but receive less after a user front-runs the transaction.
• Protocol Trust: Users can exploit this to underpay keepers, damaging protocol credibility.

PoC

No response

Mitigation

• Enforce a minimum fee increase threshold (e.g., newMaxFee ≥ oldMaxFee * 0.9).
• Implement a time-delay for fee reductions.