The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Possible reentrancy

bube

Summary

In LiquidationPool::decreasePosition there is a change of state after external call and the function has no nonReentrant modifier.

Vulnerability Details

User might manipulate LiquidationPool::decreasePosition function inside the transfer hook. With the current TST token, there is no impact as it doesn't have any hook but it's recommended to add a nonReentrant modifier to decreasePosition function and to make the change of the state before the safeTransfer call.

function decreasePosition(uint256 _tstVal, uint256 _eurosVal) external {
consolidatePendingStakes();
ILiquidationPoolManager(manager).distributeFees();
require(_tstVal <= positions[msg.sender].TST && _eurosVal <= positions[msg.sender].EUROs, "invalid-decr-amount");
if (_tstVal > 0) {
@> IERC20(TST).safeTransfer(msg.sender, _tstVal);
positions[msg.sender].TST -= _tstVal;
}
if (_eurosVal > 0) {
@> IERC20(EUROs).safeTransfer(msg.sender, _eurosVal);
positions[msg.sender].EUROs -= _eurosVal;
}
if (empty(positions[msg.sender])) deletePosition(positions[msg.sender]);
}

Tools Used

Manual Review

Recommendations

Add a nonReentrant modifier to decreasePosition function and perform the change of the state before the safeTransfer call.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.