Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Reentrancy in Staking contract.

0xsandy

Vulnerability Details

The claim() function of Staking.sol can be reentered. The claimable[msg.sender] is set to 0, after claimable[msg.sender] is transferred to msg.sender which clearly violets the CEI pattern as the state change happens after an external call. Basically an malicious user can have a fallback() through which he can reenter in the claim() function until all the WETH token amount is drained from the contract.

Impact

Anyone having certain claimable[msg.sender] amount can reenter into claim() and drain Staking contract to lose all of it's WETH token amount.

Tools Used

Manual Analysis

Recommendations

Make the state changes before external call. Change:

/src/Staking.sol

function claim() external {

updateFor(msg.sender);

WETH.transfer(msg.sender, claimable[msg.sender]);

claimable[msg.sender] = 0;

balance = WETH.balanceOf(address(this));

}

To:

/src/Staking.sol

function claim() external {

updateFor(msg.sender);

claimable[msg.sender] = 0;

WETH.transfer(msg.sender, claimable[msg.sender]);

balance = WETH.balanceOf(address(this));

}

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.