LiquidationPool::decreasePosition() check-effects-interaction pattern not respected - risk of reentrancy for ERC20 tokens with hooks
Summary and Vulnerability Details
At the current stage and for the list of allowed assets and tokens there is no reentrancy risk, because ERC20 tokens are not vulnerable to reentrancy attacks.
However, if additional tokens will be supported at a later stage of the project, the team needs to consider that certain exotic ERC20 tokens may provide hooks which allow reentrancy attacks, because the Checks-Effects-Interaction pattern is not respected in this function.
As a good coding/security practice, always apply the Checks-Effects-Interaction pattern.
Impact
Risk of reentrancy attack for ERC20 tokens that provide hooks.
Tools Used
Manual Review
Recommendations
Respect the Checks-Effects-Interaction pattern and place the line of code that modifies the user Position before the safe transfer method for _tstVal as well as _eurosVal :
And:
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.