Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug-Candidate]: Wrong Detection of a Reentrancy Attack #1472

Closed
kantorkid opened this issue Nov 15, 2022 · 1 comment
Closed

[Bug-Candidate]: Wrong Detection of a Reentrancy Attack #1472

kantorkid opened this issue Nov 15, 2022 · 1 comment

Comments

@kantorkid
Copy link

kantorkid commented Nov 15, 2022

Describe the issue:

Slither reports "Reentrancy" although this is not a security bug report because a user can't get control over xcKSM.transfer() function.

Code example to reproduce the issue:

Moonscan link:
https://moonscan.io/address/0x11ACa58F37c55923C73fe53196E1DD9f6fE72230#code

Code example:

function claim(address _holder) external onlyLido returns (uint256) {
    // go through claims and check if unlocked than just transfer xcKSMs
    uint256 readyToClaim = 0;
    uint256 readyToClaimCount = 0;
    Request[] storage requests = userRequests[_holder];
    uint256 stKSMDecimals = 10**stKSM.decimals();

    for (uint256 i = 0; i < requests.length; ++i) {
        if (requests[i].batchId <= claimableId) {
            readyToClaim += requests[i].share * batchSharePrice[requests[i].batchId] / stKSMDecimals;
            readyToClaimCount += 1;
        }
        else {
            requests[i - readyToClaimCount] = requests[i];
        }
    }

    // remove claimed items
    for (uint256 i = 0; i < readyToClaimCount; ++i) { requests.pop(); }

    require(readyToClaim <= xcKSM.balanceOf(address(this)), "WITHDRAWAL: CLAIM_EXCEEDS_BALANCE");
    xcKSM.transfer(_holder, readyToClaim);
    pendingForClaiming -= readyToClaim;

    emit Claimed(_holder, readyToClaim);

    return readyToClaim;
}

Version:

0.8.3

Relevant log output:

Reentrancy in Withdrawal.claim(address) (Withdrawal.sol#200-227):
        External calls:
        - xcKSM.transfer(_holder,readyToClaim) (Withdrawal.sol#221)
        State variables written after the call(s):
        - pendingForClaiming -= readyToClaim (Withdrawal.sol#222)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-2

Reentrancy in Withdrawal.claim(address) (Withdrawal.sol#200-227):
        External calls:
        - xcKSM.transfer(_holder,readyToClaim) (Withdrawal.sol#221)
        Event emitted after the call(s):
        - Claimed(_holder,readyToClaim) (Withdrawal.sol#224)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3
@kantorkid kantorkid added the bug-candidate Bugs reports that are not yet confirmed label Nov 15, 2022
@0xalpharush
Copy link
Contributor

Slither does not guarantee that all results are exploitable, so this result and #1473 are the tool working as anticipated. The analysis is an over-approximation i.e. more results are shown than can actually happen because the runtime behavior of a token or whether an address has authorization is not available to the tool. If you see a spurious result and know that a contract is trusted, you can use the code comments shown here to silence warnings #1089.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants