Potential reentrancy risk in `Staking.deposit()` - no CEI pattern
Summary
The Staking.deposit() function exhibits two issues: it lacks adherence to the CEI pattern, and it lacks protection against ReEntrancy attacks. The function allows users to stake TKN and receive WETH rewards. However, it fails to incorporate modifiers or mechanisms for reentrancy protection, and the TKN.transferFrom() external call occurs before state updates, potentially leading to unintended behavior and malicious state manipulation.
Vulnerability Details
The absence of CEI adherence and reentrancy protection poses risks of unintended behavior and malicious state manipulation. The transferFrom function, being an external call, could involve callbacks (in the case of ERC777 tokens, for instance), further heightening the risk.
Impact
Failure to follow best practices and the CEI pattern could result in unintended behavior and manipulation of the contract's state. This could potentially jeopardize the funds stored in the Staking.sol contract, involving both TKN and WETH tokens.
Recommendations
To address these vulnerabilities, I recommend implementing the CEI pattern and modifying the function logic as follows:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.