Skip to content

Latest commit

 

History

History
63 lines (41 loc) · 1.6 KB

054.md

File metadata and controls

63 lines (41 loc) · 1.6 KB

Interesting Cedar Hare

Medium

Transaction DOS via permit() front-running

Summary

The permit() data, once submitted, is publicly accessible in the mempool, allowing anyone to execute the permit by replicating the transaction arguments. Once permit() has been called, the second call with identical parameters will revert.

In a scenario where a signed transaction includes PERMIT_CODE, a malicious actor could frontrun and "activate" this permit, bypassing the router's start() function. As a result, the legitimate user's start() transaction would fail:

Root Cause

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L315

uint256 amount, address owner, bool permit, bytes calldata permitPayload ) internal { if (permit) { IAutomation.Permit2Payload memory payload = abi.decode( permitPayload, (IAutomation.Permit2Payload) );

        permit2.permit(owner, payload.permitSingle, payload.signature);
        permit2.transferFrom(
            owner,
            address(this),
            uint160(amount),
            address(token)
        );
    } else {
        token.safeTransferFrom(owner, address(this), amount);
    }
}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

We recommended using the try/catch pattern for permit operations to prevent reverts.