First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

The `Vault::initVault` function is not following the CEI pattern.

oxenzo

Description: The protocol implemented the Vault::initVault function to allow the approvement of managment contracts to handle tokens.

function initVault(ILoveToken loveToken, address managerContract) public {
if (vaultInitialize) revert Vault__AlreadyInitialized();
loveToken.initVault(managerContract);
@> vaultInitialize = true;
}

Impact: Looking at the highlighted line of code, we can see that the approvement of the managerContract to handle the Lovetokens happens before updating the Vault::VaultInitialize variable of the protocol against the CEI pattern. Because the function intends to approve managerContracts to handle Lovetokens, and these tokens fall under the (ERC-20) standard that can be exploited for reentrancy. Although an exploit cannot be verified, whereby they would be explicit loss due to this, it is highly recommended to follow CEI pattern to prevent a possible reentrancy attack.

Recommended Mitigation: Handle the approvement of the managerContract to handle Lovetokens after updating the Vault::VaultInitialize variable.

function initVault(ILoveToken loveToken, address managerContract) public {
if (vaultInitialize) revert Vault__AlreadyInitialized();
- loveToken.initVault(managerContract);
- vaultInitialize = true;
+ vaultInitialize = true;
+ loveToken.initVault(managerContract);
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other
oxenzo Submitter
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.