Broad Grey Dragon
High
No Protection Against Front-running in Fee Calculation (Preview Functions): previewEntryFees & previewExitFees
https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L1106-L1112 https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L1120-L1125 The functions previewEntryFees and previewExitFees provide users with estimated costs based on current market conditions. However, these functions do not interact with the blockchain state or guarantee that the prices won’t change by the time the transaction is executed, making them vulnerable to front-running attacks.
The issue arises because these functions provide fee previews without any protection against the timing of the transaction. In a typical scenario, an attacker could monitor the fee previews, act on the information, and submit their transaction before the original user’s transaction is processed. This is commonly known as a front-running attack.
previewEntryFees: This function calculates the total cost including fees for entering a market. previewExitFees: This function calculates the total proceeds after subtracting protocol fees for exiting a market.
The attacker calls previewEntryFees or previewExitFees to view the fee calculations, which are based on the current state of the market. The attacker observes the fees and determines that they could manipulate the market in a way that would either: Increase the fees the user will pay by submitting a transaction first. Manipulate the market state to exploit the user's transaction, resulting in unfair fee conditions. The attacker then submits their own transaction, exploiting the observed fee conditions before the original user executes their transaction. This results in the user paying a different (typically higher) fee, or the attacker gaining an advantage through altered market conditions.
The fee preview functions (previewEntryFees, previewExitFees) only consider the current market state, which is observable and predictable by external users. There's no mechanism in place to lock in the fees once they are previewed, leading to a window of opportunity for attackers to front-run or manipulate the market state.
Economic Exploitation Market Manipulation Severity: High Likelihood: Medium to High Impact: Significant
Consider implementing a commit-reveal scheme or time-locking mechanisms that prevent attackers from predicting and manipulating the fees between preview and execution.