Summary

see the vulnerability details it show all details about the vulnerability

Vulnerability Details

the problem in that line in the function so for explaining the vulnerability :
the code checks if the ercEscrowed balance of the user is less than the ercAmount they are trying to use in the contract. If the user's ercEscrowed balance is less than ercAmount, it reverts the transaction with the error message Errors.InsufficientERCEscrowed(). the probelm here is that this check does not account for the possibility of a reentrancy attack.
and here is a scenario show the problem :Let's assume that the user has a balance of 10 ERC tokens in their ercEscrowed account. They want to place an order that requires 15 ERC tokens.

• The attacker deploys a malicious contract.

• The attacker initiates a transaction to interact with the vulnerable contract, attempting to place an order for 15 ERC tokens.

• so here where the Reentrancy occur

• The vulnerable contract checks if the user's ercEscrowed balance which is 10 ERC tokens is less than the order amount (15 ERC tokens). It detects the insufficient balance and reverts the transaction.

• At this point, the attacker's malicious contract is called again within the same transaction.

• The attacker's contract initiates another interaction with the vulnerable contract, depositing more ERC tokens into their ercEscrowed balance.

• and here the Manipulation occur

• The attacker's contract repeatedly calls the vulnerable contract, depositing ERC tokens each time.

• The vulnerable contract doesn't account for the change in the user's balance during the same transaction and doesn't perform further checks.

• As a result, the attacker can eventually accumulate a sufficient balance in their ercEscrowed account to cover the 15 ERC tokens required for the order.

• so at the end as result to this scenario :

• The attacker's malicious contract successfully tricks the vulnerable contract into allowing the order, even though the attacker initially had an insufficient balance.

• Financial losses occur as the vulnerable contract fulfills the order without proper validation, transferring 15 ERC tokens to the attacker.

Impact

an attacker can exploit this vulnerability through a reentrancy attack, and then can manipulate their ercEscrowed balance to trick the contract into allowing an order that they don't have sufficient funds for. as result this can lead to financial losses or disruptions in the functioning of the contract.

Tools Used

manual review

Recommendations

this update can help secure the code from the attack: