Deposit function can lead to a potential reentrancy vulnerability.
Vulnerability Details
The function deposit allows a user to transfer tokens (_amount) from their address to the contract (address(this)) using the transferFrom function. The transferFrom function can trigger an external contract call. If the external contract's code is malicious and designed to execute a reentrancy attack, it can potentially call back into the deposit function before it completes.
Affectd Code:
function deposit(uint _amount) external {
TKN.transferFrom(msg.sender, address(this), _amount);
updateFor(msg.sender);
balances[msg.sender] += _amount;
}
Impact
If the external contract's code is malicious and designed to execute a reentrancy attack, it can potentially call back into the deposit function before it completes.
Tools Used
Manual
Recommendations
To protect against reentrancy, you should follow the "checks-effects-interactions" pattern and ensure that you perform all necessary checks and updates before making any external calls. To do this, you should first update the user's balance and then transfer the tokens.
Suggested Code:
function deposit(uint _amount) external {
updateFor(msg.sender);
balances[msg.sender] += _amount;
TKN.transferFrom(msg.sender, address(this), _amount);
}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.