Potential Reentrancy Attack with ERC777 Tokens
Summary
A vulnerability has been identified in the contract where it might be susceptible to reentrancy attacks when interacting with ERC777 tokens. The absence of a reentrancy guard and not adhering to the "Checks-Effects-Interactions" pattern can expose the contract to malicious behaviors when dealing with ERC777 tokens, which support callback hooks.
Vulnerability Details
ERC777 is an advanced token standard that introduces features not present in ERC20. One of the notable features of ERC777 is the ability to have callback hooks, such as tokensToSend and tokensReceived. These callbacks can be exploited by a malicious actor to re-enter the contract before the original function has finished executing.
If the contract interacts with an ERC777 token and does not follow the "Checks-Effects-Interactions" pattern or lacks a reentrancy guard, it becomes vulnerable to reentrancy attacks. An attacker can use the callback methods in ERC777 to call back into the contract, potentially leading to unintended behaviors or fund theft.
Impact
Malicious actors can exploit the contract's functions to re-enter and manipulate contract state and withdraw funds.
Tools Used
Manual Review
Recommendations
Integrate a reentrancy guard into the contract to prevent recursive calls. This can be achieved using the nonReentrant modifier provided by libraries like OpenZeppelin.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.