Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: medium
Invalid

Reentrancy vulnerabilities in `Airdrop::claim`, `Staking::claimRewards`, and `Vault::initVault` are also detected.

Summary

The functions Airdrop::claim, Staking::claimRewards, and Vault::initVault are vulnerable to reentrancy attacks.

Vulnerability Details

Reentrancy in Airdrop::claim (src/Airdrop.sol#51-89):
External calls:
- numberOfDaysInCouple = (block.timestamp - soulmateContract.idToCreationTimestamp(soulmateContract.ownerToId(msg.sender))) / daysInSecond (src/Airdrop.sol#56-59)
- amountAlreadyClaimed >= numberOfDaysInCouple * 10 ** loveToken.decimals() (src/Airdrop.sol#64-65)
- tokenAmountToDistribute = (numberOfDaysInCouple * 10 ** loveToken.decimals()) - amountAlreadyClaimed (src/Airdrop.sol#68-69)
- tokenAmountToDistribute = loveToken.balanceOf(address(airdropVault)) (src/Airdrop.sol#76-78)
State variables written after the call(s):
- _claimedBy[msg.sender] += tokenAmountToDistribute (src/Airdrop.sol#80)
Airdrop._claimedBy (src/Airdrop.sol#26) can be used in cross function reentrancies:
- Airdrop.claim() (src/Airdrop.sol#51-89)

Reentrancy in Staking::claimRewards (src/Staking.sol#70-99):
External calls:
- soulmateId = soulmateContract.ownerToId(msg.sender) (src/Staking.sol#71)
- lastClaim[msg.sender] = soulmateContract.idToCreationTimestamp(soulmateId) (src/Staking.sol#74-76)
State variables written after the call(s):
- lastClaim[msg.sender] = block.timestamp (src/Staking.sol#87)
Staking.lastClaim (src/Staking.sol#26) can be used in cross function reentrancies:
- Staking.claimRewards() (src/Staking.sol#70-99)
- Staking.lastClaim (src/Staking.sol#26)

Reentrancy in Vault::initVault(ILoveToken,address) (src/Vault.sol#27-31):
External calls:
- loveToken.initVault(managerContract) (src/Vault.sol#29)
State variables written after the call(s):
- vaultInitialize = true (src/Vault.sol#30)
Vault.vaultInitialize (src/Vault.sol#18) can be used in cross function reentrancies:
- Vault.initVault(ILoveToken,address) (src/Vault.sol#27-31)
- Vault.vaultInitialize (src/Vault.sol#18)

Impact

Reentrancy vulnerabilities ultimately result in the loss of funds in the vault.

Tools Used

Slither

Recommendations

Apply the check-effects-interactions (CEI) pattern.
Reference: https://docs.soliditylang.org/en/v0.4.21/security-considerations.html#re-entrancy

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.