Due to the preferred restriction of 1:1 relationship between indexer and Graphcast agent, there exist a vulnerability for indexers who submits a transaction to set their Graphcast agent, in which a malicious actor can frontrun transactions to disabled someone from setting the desired agent address.
POC
-
Alice wants to set her operator to 0x1234.
She calls setGossipOperator(0x1234).
-
Malicious Bob sees this in the mempool and sends another setGossipOperator(0x1234) with higher gas price.
-
After Bob's tx succeeds, Alice's will fail because operatorRegistered[0x1234] is already set.
Potential solutions
- commit/reveal scheme like ENS: first transaction with hash of gossip address, second transaction reveals the preimage and claims it
- Instead of requiring the
address field for Graphcast operator, instead require a message signed by the operator private key. Message object should contain both operator address and the message sender address. The contract verify the msg.sender and message signature
Due to the preferred restriction of 1:1 relationship between indexer and Graphcast agent, there exist a vulnerability for indexers who submits a transaction to set their Graphcast agent, in which a malicious actor can frontrun transactions to disabled someone from setting the desired agent address.
POC
Alice wants to set her operator to 0x1234.
She calls
setGossipOperator(0x1234).Malicious Bob sees this in the mempool and sends another
setGossipOperator(0x1234)with higher gas price.After Bob's tx succeeds, Alice's will fail because
operatorRegistered[0x1234]is already set.Potential solutions
addressfield for Graphcast operator, instead require a message signed by the operator private key. Message object should contain both operator address and the message sender address. The contract verify the msg.sender and message signature