Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[M2] Incomplete reentrancy protection of submitAndDeposit() #360

Open
code423n4 opened this issue Sep 25, 2022 · 4 comments
Open

[M2] Incomplete reentrancy protection of submitAndDeposit() #360

code423n4 opened this issue Sep 25, 2022 · 4 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax question Further information is requested

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-09-frax/blob/55ea6b1ef3857a277e2f47d42029bc0f3d6f9173/src/frxETHMinter.sol#L70

Vulnerability details

Impact

​ Risk of reentrancy in submitAndDeposit function.

PoC

​ I see that you added the non reentrant modifier to the internal function _submit().
The problem with this is that you are not protecting some parts of the function submitAndDeposit()

function submitAndDeposit(address recipient) external payable returns (uint256 shares) {
    // Give the frxETH to this contract after it is generated
    _submit(address(this));
    // Approve frxETH to sfrxETH for staking
    frxETHToken.approve(address(sfrxETHToken), msg.value);
    // Deposit the frxETH and give the generated sfrxETH to the final recipient
    uint256 sfrxeth_recieved = sfrxETHToken.deposit(msg.value, recipient);  
    require(sfrxeth_recieved > 0, 'No sfrxETH was returned');
    return sfrxeth_recieved;
}

In this case if sfrxETHToken.deposit(msg.value, recipient); it could reenter depending on implementation (actually we only have access to interface IsfrxETH)

In any case it is better to add reentrant modifier to every external function that you want to protect.

Recommended

Remove nonReentrant modifier from _submit() and add it to every function that uses it
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 25, 2022
code423n4 added a commit that referenced this issue Sep 25, 2022
@code423n4
peritoflores issue #360
20dd6bf
@FortisFortuna
Copy link

FortisFortuna commented Sep 25, 2022
edited
Loading

Was anything brickable or could funds be stolen? We saw this with Slither and deemed it a non-issue.

@FortisFortuna FortisFortuna added the question Further information is requested label Sep 25, 2022
@itsmetechjay
Copy link

@peritoflores, can you chime in on the sponsor question above?

@peritoflores
Copy link

Hi @FortisFortuna ,

I reported this issue as "medium" because according to code4rena standard.
"Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements."

The main problem is that sfrxETHToken is just an interface so I do not have the code to say that is where the "hypotethical" is. In any case it is pretty general that all the functions in most of the protocols that are related to "deposit" or "withdraw" are always protected by non-reentrant modifier, unless you have no any external call which is not your case. @itsmetechjay

@0xean
Copy link
Collaborator

0xean commented Oct 12, 2022

Downgrading to QA due to lack of more explicit POC. The possibility of re-entrancy alone is not enough for M

@0xean 0xean added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@0xean @FortisFortuna @code423n4 @itsmetechjay @peritoflores