Reentrancy and untrusted call can be used to drain funds from claimRewards()
Summary
Missing checks and no re-entrancy prevention allow untrusted contracts to call claimRewards(). This could be used by an attacker to drain the reward.
Vulnerability Details
A staker can turn malicious by creating a custom contract that will call the claimRewards(). The attacker is free to do as he pleases within this function as it is an external contract callable by anyone.
Impact
There are no reentrancy guards in the LiquidationPool contract and thus a malicious custom contract could call back into the claimRewards by taking advanatge of lower level call on L#172.
The malicious call can be used to drain a major or whole part of the reward.
If there been re-entrancy protection placed, the attacker contract would not be able to call back into the contract as it will severely limit his abilities to do so.
Tools Used
Manual Code Review
Recommendations
Add Openzeppelin’s ReentrancyGuardUpgradeable re-entrancy guard modifier nonReentrant to all external functions that are callable by anyone specifically, to the claimRewards method.
Lead Judging Commences
claims-reentrancy
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.