Feat.Req - Address frontrun security #3
Description
Due to the preferred restriction of 1:1 relationship between indexer and Graphcast agent, there exist a vulnerability for indexers who submits a transaction to set their Graphcast agent, in which a malicious actor can frontrun transactions to disabled someone from setting the desired agent address.
POC
-
Alice wants to set her operator to 0x1234.
She callssetGossipOperator(0x1234). -
Malicious Bob sees this in the mempool and sends another
setGossipOperator(0x1234)with higher gas price. -
After Bob's tx succeeds, Alice's will fail because
operatorRegistered[0x1234]is already set.
Potential solutions
- commit/reveal scheme like ENS: first transaction with hash of gossip address, second transaction reveals the preimage and claims it
- Instead of requiring the
addressfield for Graphcast operator, instead require a message signed by the operator private key. Message object should contain both operator address and the message sender address. The contract verify the msg.sender and message signature