There are several examples of interactions preceding effects:
- In the deposit function of the Collateral contract, collateral is retrieved before the user balance is updated and an event is emitted.
- In the
_withdrawfunction of the Collateral contract, collateral is sent before the event is emitted - The same pattern occurs in the
depositToInsuranceFund,depositEtherToInsuranceFundandwithdrawFromInsuranceFundfunctions of the Perpetual contract.
It should be noted that even when a correctly implemented ERC20 contract is used for collateral, incoming and outgoing transfers could execute arbitrary code if the contract is also ERC777 compliant.
These re-entrancy opportunities are unlikely to corrupt the internal state of the system, but they would affect the order and contents of emitted events, which could confuse external clients about the state of the system.
Consider always following the “Check-Effects-Interactions” pattern or use ReentrancyGuard contract is now used to protect those functions
- Youtube Reference
- Medium Risk severity finding from OpenZeppelin’s Audit of MCDEX Mai Protocol