Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Reentrancy attacks, where external contracts can repeatedly call functions before the initial call completes.

0xVinylDavyl

Summary

The contract lacks proper protection against reentrancy attacks, where external contracts can repeatedly call functions before the initial call completes. This could lead to undesired contract behavior and potential financial losses.

Vulnerability Details

The absence of reentrancy guards in functions leaves the contract vulnerable to reentrancy attacks. An attacker could exploit this vulnerability to maliciously alter contract state during the execution of sensitive functions.

// Vulnerable Function

function distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data) public {

require(msg.sender == address(proxyFactory), "Distributor__OnlyFactoryAddressIsAllowed");

require(winners.length == percentages.length, "Distributor__MismatchedArrays");

uint256 totalPercentage;

for (uint256 i = 0; i < percentages.length; i++) {

totalPercentage += percentages[i];

}

require(totalPercentage == 10000, "Distributor__InvalidTotalPercentage");

// Vulnerable Code: Lack of Reentrancy Guard

for (uint256 i = 0; i < winners.length; i++) {

MockERC20(token).transfer(winners[i], (MockERC20(token).balanceOf(address(this)) * percentages[i]) / 10000);

}

emit Distributed(token, winners, percentages, data);

}

Impact

The absence of reentrancy guards exposes the contract to reentrancy attacks, allowing attackers to repeatedly call sensitive functions and manipulate contract state. This can lead to unauthorized token transfers, financial losses, and unexpected contract behavior.

Tools Used

Manual

Recommendations

Implement reentrancy guards using the nonReentrant modifier or similar techniques to prevent external contract calls during function execution.
Utilize the OpenZeppelin ReentrancyGuard library to add reentrancy protection to vulnerable functions.

By addressing these recommendations, you can mitigate the risk of reentrancy vulnerabilities and enhance the contract's security against this type of attack.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.