Take ownership of an NFT (front-running)
In an open protocol, anyone can list an item, but the item first needs to be approved.
An attacker can monitor for approval transactions.
When he notices such transaction, he can front-run the listItem by executing the same transaction with a price of 1 wei.
Because the NFT has already been approved, it will get transferred to the attacker’s address.
There are two options to fix this problem (and we don’t even mean using the notListed modifier):
- Option 1 — Replace seller with msg.sender and don’t use seller at all
- Option 2 — In case the business logic requires the usage of a seller argument, implement signature verification - The owner of the NFT should sign the nftAddress, tokenId, and the price beforehand, and then the transaction executor should provide that signature to verify the owner indeed has allowed these values.
The verification is to be done with ecreovery so if the resulting address is the seller, only then the item gets listed.
Now your NFTs are safe from front-running!
We hope this article has been helpful to you.
PART 2 of Audita’s Vulnerability Highlights will be out soon.
Follow us on Twitter @AuditaSecurity and join us in our quest.
Stay safu!
Audita’s Team