Reentrancy:
Summary
Reenttrancy in refund can allow a malicious player to steal all fund in the contract.
Vulnerability Details
the refund() function is vulnerable to reentrancy attacks. This means that a malicious player can call the function multiple times before the state is updated, which allows them to steal funds from the contract
Impact
To perform a reentrancy attack, a malicious player would first call the refund() function. This would cause the contract to send some funds to the player. The player would then immediately call the refund() function again. This process would be repeated until all of the funds in the contract have been drained.
The vulnerability is particularly dangerous because state updates are performed after the external call using the sendValue() function. This means that the attacker's balance of funds is not updated until after the contract has sent funds to them. This allows the attacker to call the refund() function multiple times before the contract realizes that they have already been refunded.
POC
link https://gist.github.com/Falilah/14be4c04945b35d81bb038789492439c
Tools Used
Manual review, Foundry
Recommendations
To prevent this type of attack, The teams should always use reentrancy guards. A reentrancy guard is a piece of code that prevents a function from being called multiple times before the state is updated.
Lead Judging Commences
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.