SCWE-052: Transaction Order Dependence
Stable Version v1.0
This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Relationships¶
- CWE-400: Uncontrolled Resource Consumption
https://cwe.mitre.org/data/definitions/400.html
Description¶
Transaction Order Dependence (TOD) occurs when the outcome of a contract's execution depends on the order of transactions. Attackers can exploit this issue by submitting transactions in a specific order, manipulating the contract's state and gaining an unfair advantage, such as front-running or back-running other transactions. This can lead to unexpected behavior and resource consumption.
Remediation¶
To mitigate TOD vulnerabilities, ensure that the contract's logic does not depend on transaction order. Use techniques like commit-reveal schemes or randomization to prevent attackers from predicting the transaction order and exploiting it.
Vulnerable Contract Example¶
pragma solidity ^0.8.0;
contract TODExample {
address public winner;
function bid() public payable {
require(msg.value > 1 ether, "Bid too low");
winner = msg.sender; // Dependent on transaction order
}
}