Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add Confirmed Toll Parameter When Sending ETH To Avoid Admin Frontrunning
See original GitHub issueProblem
The current version of Umbra.sol contract has the following method:
function setToll(uint256 _newToll) public onlyOwner {
toll = _newToll;
}
I believe it can raise some trust concerns: in its current implementation the toll can be changed without users’ awareness.
We can imagine the following scenario:
- User sends a transaction with
X+T1as a total amount, whereXis intended transfer amount andTistoll - Contract owner sets the
tolltoT2(which, for instance, is higher thanT1) - A transaction setting the new
tollgets mined first - User’s transaction gets mined second, the actual amount transferred to the recipient becomes
X+T1-T2
Potential issues:
- Users’ transactions can be spoiled. For example, if they are processed by an automated payment system, receiving lesser amount would render a payment invalid, which would lead to loosing the funds.
- It could be seen as a potential attack vector for a contract owner to steal users’ funds. Owner could watch the network for a transaction that transfers a certain amount of ETH, and while the transaction is still in the mempool, they could try to broadcast a transaction changing
tollthat would get mined before the user’s transaction.
Possible solutions
Getting rid of the toll completely
It seems to be the most simple way of solving the problem. Though probably there are some reasons to leave it (like spam protection, etc), so I think it can be a good opportunity to discuss them and determine the importance of having toll.
Accepting confirmedToll as a sendEth argument
A user would be able to confirm amount of toll they agree to pay. We could check if confirmedToll equals current toll set in the contract and reject a transaction if it doesn’t. This can protect a user from loosing their funds in the described scenario, but we can also keep the toll if it proves to be useful.
Making toll immutable
We could leave it just as a constructor argument, thus removing setToll function and resolving the trust issue.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Great thanks @mds1 and @mvlabat. We will go with this approach!
Hi folks! @apbendi, sorry for missing your question. Yeah, I think that those proposed solutions are also valid options. But I still believe that the
confirmedTollparameter is the most simple and secure one among the others that we’ve discussed, so I’ll be absolutely happy if you decide to go with this approach.