Last updated: March 11, 2025

SCWE-052: Transaction Order Dependence

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-400: Uncontrolled Resource Consumption
  https://cwe.mitre.org/data/definitions/400.html

Description

Transaction Order Dependence (TOD) occurs when the outcome of a contract's execution depends on the order of transactions. Attackers can exploit this issue by submitting transactions in a specific order, manipulating the contract's state and gaining an unfair advantage, such as front-running or back-running other transactions. This can lead to unexpected behavior and resource consumption.

Remediation

To mitigate TOD vulnerabilities, ensure that the contract's logic does not depend on transaction order. Use techniques like commit-reveal schemes or randomization to prevent attackers from predicting the transaction order and exploiting it.

Vulnerable Contract Example

contract TODExample {
    address public winner;

    function bid() public payable {
        require(msg.value > 1 ether, "Bid too low");
        winner = msg.sender;  // Dependent on transaction order
    }
}

Fixed Contract Example

contract FixedTODExample {
    address public winner;
    uint public highestBid;

    function bid() public payable {
        require(msg.value > highestBid, "Bid too low");
        highestBid = msg.value;
        winner = msg.sender;
    }
}