You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many contracts use OpenZeppelin’s nonreentrant modifier on functions that interact with external contracts to prevent any reentrancies possible. However, there are a few functions that miss using this modifier.
Impact: Missing nonreentrant modifier may allow reentrancy although the risk is low given that most external contracts are “trusted” ones from the project itself or well-known yield sources. Although, there are a few functions that make calls to unknown/untrusted erc20 tokens but they seem to follow the CEI pattern currently. It is nevertheless safer to add the modifier for consistency given this is used everywhere else, at the cost of some extra gas.
Handle
0xRajeev
Vulnerability details
Impact
Many contracts use OpenZeppelin’s nonreentrant modifier on functions that interact with external contracts to prevent any reentrancies possible. However, there are a few functions that miss using this modifier.
Impact: Missing nonreentrant modifier may allow reentrancy although the risk is low given that most external contracts are “trusted” ones from the project itself or well-known yield sources. Although, there are a few functions that make calls to unknown/untrusted erc20 tokens but they seem to follow the CEI pattern currently. It is nevertheless safer to add the modifier for consistency given this is used everywhere else, at the cost of some extra gas.
Proof of Concept
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/ATokenYieldSource.sol#L224
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/ATokenYieldSource.sol#L233
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/IdleYieldSource.sol#L150
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/BadgerYieldSource.sol#L43
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/BadgerYieldSource.sol#L57
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/SushiYieldSource.sol#L47
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/SushiYieldSource.sol#L66
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add missing nonreentrant modifier on all functions with external calls.
The text was updated successfully, but these errors were encountered: