Rewards can be stolen by re-entering into updateDistribution
#134
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
cmichel
Vulnerability details
The
XDEFIDistribution.updateDistribution
function does not have re-entrancy locks and can be called fromlock -> _lock -> safeMint
which gives control back to themsg.sender
if it is a contract by performingmsg.sender.onERC721Received(...)
.As the
totalDepositedXDEFI
is not yet updated with the locked amount at the time of callingsafeMint
, re-entering intoupdateDistribution
will count the deposited amount as rewards and distribute them to all previous holders by increasing_pointsPerUnit
.POC
For simplicity, assume there's a zero-second locking duration and all these actions can be done in a single transaction.
It also leads to loss of funds in the case where there's no zero-second locking duration.
lock
and has anonERC721Received
receiver function. The_lock
'ssafeMint
will call this function with NFT_2 and the attacker callsupdateDistribution
which distributes the locked amount as a reward to all previous stakers, including themself as part of owning NFT_1.Impact
Funds can be stolen from the contract.
Recommended Mitigation Steps
_mint
instead of_safeMint
.updateDistribution
andmigrate
.The text was updated successfully, but these errors were encountered: