Skip to content

Latest commit

 

History

History
88 lines (59 loc) · 2.54 KB

File metadata and controls

88 lines (59 loc) · 2.54 KB

Dapper Amber Starfish

Medium

Missing Slippage Protection in Vote Selling Mechanism

Summary

The absence of slippage protection in the sellVotes function will cause an unfair price execution vulnerability for vote sellers as market price fluctuations between transaction submission and execution can result in worse-than-expected trade execution prices.

Root Cause

While Base blockchain's architecture prevents traditional front-running attacks, market prices can still change between when a user submits their transaction and when it gets executed.

The sellVotes function in ReputationMarket contract lacks slippage protection, unlike its buying counterpart. This oversight allows transactions to be executed at potentially unfavorable prices due to natural market movements during the period between transaction submission and execution.

  function sellVotes(
    uint256 profileId,
    bool isPositive,
    uint256 amount
  ) public whenNotPaused activeMarket(profileId) nonReentrant {
    _checkMarketExists(profileId);

    // calculate the amount of votes to sell and the funds received
    (
      uint256 votesSold,
      uint256 fundsReceived,
      ,
      uint256 protocolFee,
      uint256 minVotePrice,
      uint256 maxVotePrice
    ) = _calculateSell(markets[profileId], profileId, isPositive, amount);

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/ReputationMarket.sol#L495

Internal pre-conditions

  1. User must have votes to sell in the market
  2. Market must be active (not graduated)
  3. Market must exist

External pre-conditions

No response

Attack Path

  1. Alice initiates a transaction to sell votes at expected price X
  2. During the period before Alice's transaction is executed:
  • Multiple users make trades
  • Market price moves significantly downward
  1. Alice's transaction gets executed:
  • The current market price is now much lower than when Alice submitted
  • Alice's votes are sold at this lower price

Impact

Financial loss for users due to unfavorable price execution

PoC

No response

Mitigation

Add slippage protection to the sellVotes function

function sellVotes(
    uint256 profileId,
    bool isPositive,
    uint256 amount,
    uint256 minExpectedFunds,    // Add minimum expected funds parameter
) public whenNotPaused activeMarket(profileId) nonReentrant {

...
    // Add slippage check
    if (fundsReceived < minExpectedFunds) {
            revert SlippageLimitExceeded();
    }