15,000 USDC
View results
Submission Details
Severity: low

Reentrancy event attack

Summary

External calls are being made to burnDsc and redeemCollateral functions, which both make more external calls. The burnDsc function calls transferFrom and burn on i_dsc and the redeemCollateral function calls transfer on the IERC20 token at tokenCollateralAddress.

Vulnerability Details

#169-175

function redeemCollateralForDsc(address tokenCollateralAddress, uint256 amountCollateral, uint256 amountDscToBurn)
external
{
burnDsc(amountDscToBurn);
redeemCollateral(tokenCollateralAddress, amountCollateral);
// redeemCollateral already checks health factor
}

#282-291

function _redeemCollateral(address from, address to, address tokenCollateralAddress, uint256 amountCollateral)
private
{
s_collateralDeposited[from][tokenCollateralAddress] -= amountCollateral;
emit CollateralRedeemed(from, to, tokenCollateralAddress, amountCollateral);
bool success = IERC20(tokenCollateralAddress).transfer(to, amountCollateral);
if (!success) {
revert DSCEngine__TransferFailed();
}
}

Impact

The possible reentrancy attack can occur in this sequence:

RedeemCollateralForDsc is called, which calls burnDsc.
Within burnDsc, i_dsc.transferFrom is called, and this is the point of reentrancy.
If i_dsc is a malicious contract, it could call back into redeemCollateralForDsc.

Tools Used

Manual Review.
Slither: reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3

Recommendations

Add nonReentrant modifier to redeemCollateralForDsc

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.