Skip to content

feat: Add front-running and MEV vulnerability detection rule (CP-119) #16

Description

@Nanle-code

Overview

Miner/Maximal Extractable Value (MEV) and transaction ordering attacks are among the most underreported vulnerability classes in smart contracts. Contracts that make decisions based on state that can be manipulated between the time a transaction is submitted and when it is mined are vulnerable to front-running. ChainProof needs a dedicated rule to surface these patterns.

Vulnerability Patterns to Detect

1. Commit-Reveal Scheme Absence in Auction/Lottery Contracts

function bid(uint256 amount) external {
    require(amount > highestBid, "too low");
    highestBid = amount;
    highestBidder = msg.sender;
    // Attacker in the mempool sees this tx and front-runs with amount + 1
}

2. Approval Front-Running (ERC-20)

// Standard approve is vulnerable to front-run between approve(100) and approve(50)
// attacker drains the original 100 before the 50 lands
function approve(address spender, uint256 amount) external {
    allowance[msg.sender][spender] = amount;
}

3. Block Timestamp or Block Number Dependence for Randomness

function random() internal view returns (uint256) {
    return uint256(keccak256(abi.encodePacked(block.timestamp, block.difficulty)));
    // Miners can manipulate block.timestamp within ~15 second window
}

4. Sandwich Attack Surface in AMM Interactions

Contracts calling external AMMs with no slippage parameter (amountOutMin == 0).

uniswapRouter.swapExactTokensForTokens(amountIn, 0, path, recipient, deadline);
// amountOutMin = 0 means accept any output — sandwich attacker extracts full slippage

Detection Heuristics

  1. Detect block.timestamp or block.difficulty used in keccak256 hash for randomness
  2. Detect AMM swap calls with hardcoded 0 for amountOutMin
  3. Detect standard ERC-20 approve without increaseAllowance alternative
  4. Detect auction/bidding patterns without a commit-reveal structure

Acceptance Criteria

  • CP-119 rule in packages/core/src/rules/cp119-frontrunning.ts
  • Block timestamp/difficulty randomness detection with High severity
  • AMM swap with zero slippage detection with High severity
  • ERC-20 approve race condition with Medium severity
  • Auction front-running heuristic with Medium severity
  • Example vulnerable contracts in examples/contracts/mev/

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions