MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Tokens drain due to reentrancy in `collectFees`

KeyKiril

Summary

Drain tokens condition due to reentrancy in collectFees

Vulnerability Details

collectFees function is not guarded by a re-entrancy guard.

function collectFees(uint256 tokenId_) external returns (uint256 amount0_, uint256 amount1_) {
INonfungiblePositionManager.CollectParams memory params_ = INonfungiblePositionManager.CollectParams({
tokenId: tokenId_,
recipient: address(this),
amount0Max: type(uint128).max,
amount1Max: type(uint128).max
});
(amount0_, amount1_) = INonfungiblePositionManager(nonfungiblePositionManager).collect(params_);
emit FeesCollected(tokenId_, amount0_, amount1_);
}

In case a transfer of at least one of the
tokens in a trading pair allows to invoke arbitrary code (e.g. token implementing callbacks/hooks), it is possible for
a malicious host to drain trading pools. The re-entrancy condition allows to transfer collected fees multiple times to
both DAO and the host beyond the actual fee counter.

Impact

Loss of funds

Tools Used

Manual Review

Recommendations

Add re-entrancy guard to mitigate the issue in collectFees function or implement a check-
effect-interaction pattern to update the balance before the transfer is executed

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.