-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
function brokerClaim is vulnerable to frontrunning #111
Comments
minhquanym marked the issue as primary issue |
0xRektora marked the issue as disagree with severity |
|
0xRektora marked the issue as sponsor confirmed |
I agree with the sponsor. The full risk is gas cost of redeploying. No one can mint beside the broker, so protocol funds cannot be lost here. Downgrading to QA for medium risk reports, overinflated for high risk. |
dmvt changed the severity to QA (Quality Assurance) |
dmvt marked the issue as grade-b |
Lines of code
https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/oTAP.sol?plain=1#L126
https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/aoTAP.sol?plain=1#L139
Vulnerability details
Impact
The attacker can execute the function before the deployer due to front-running, after which the broker variable will become equal to the address of the attacker, and attacker will gain control over all the functions of the smart contract with the onlyBroker modifier.
Proof of Concept
https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/oTAP.sol?plain=1#L126
Tools Used
manual
Recommended Mitigation Steps
It is necessary to move the initialization of the broker variable to the constructor or ensuring atomic creation+deployment with script or factory contract.
Assessed type
MEV
The text was updated successfully, but these errors were encountered: