DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Potential Violation of Check-Effects-Interaction Pattern

0xch

Summary

Vulnerability Details

The burnFrom function is an external call that's made before the state updates (like updating the liquidator's collateral and the remaining liquidation amount).

Impact

Reentrancy

Tools Used

Manual

Recommendations

It's generally recommended to perform all external calls at the end of the function, after all state updates.Check Effect Interactions

Here's a sample modification for your code:

// Store necessary parameters for external call
address burnFromAddress = msg.sender;
uint88 burnAmount = m.short.ercDebt;

// Perform state changes
if (partialTappLiquidation) {
_secondaryLiquidationHelperPartialTapp(m);
} else {
_secondaryLiquidationHelper(m);
}

// Update in memory for final state change after loops
liquidatorCollateral += m.liquidatorCollateral;
liquidateAmountLeft -= m.short.ercDebt;
if (liquidateAmountLeft == 0) break;

// Make external call at the end
IAsset tokenContract = IAsset(asset);
tokenContract.burnFrom(burnFromAddress, burnAmount);

This way, even if the `burnFrom` function is not correctly implemented and allows for reentrancy, it won't be able to affect the state of your contract because all state changes have already been made.
Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Vague generalities

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.