Potential Reentrancy Vulnerability in `handleIncomingRESDL` function
Summary
The handleIncomingRESDL function in the SDLPoolCCIPControllerPrimary contract has a potential vulnerability related to reentrancy attacks. The function's state update, which involves reducing the total supply of a token on the source chain, is placed after an external call to ISDLPoolPrimary(sdlPool).handleIncomingRESDL. This order of operations may expose the contract to reentrancy attacks. Basically, it is not following the CEI pattern.
Vulnerability Details
The vulnerability arises from the fact that the state update is not done atomically with the external call. In case of reentrancy, an attacker could potentially re-enter the function before the state is updated, leading to an inconsistent state and unintended consequences.
Impact
If a reentrancy attack occurs, the reduction in the total supply of the token on the source chain may not take effect as intended. This could result in an inconsistent state and potential issues with the correctness and security of the contract.
Tools Used
Manual review.
Recommendations
To address the vulnerability, it is recommended to reorder the operations in the handleIncomingRESDL function. The state update, particularly the reduction in total supply, should be done before any external calls to ensure atomicity and prevent reentrancy vulnerabilities. Additionally, consider using reentrancy guards or mutex patterns to further enhance the security of the contract.
Updated code should look like this:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.