C.E.I not followed in `Dussehra::withdraw`. Re-entrancy is possible.
Summary
A Ram calling the Dussehra::withdraw function, can reenter the function maliciously and withdraw more than once because Check-Effects-Interactions pattern was not followed.
Vulnerability Details
The Dussehra::withdraw function allows a selected Ram to withdraw uint256 amount = totalAmountGivenToRam. But in the implementation of this withdrawal, totalAmountGivenToRam is reset to zero just after the withdrawal is done. Which goes against Check-Effects-Interactions pattern thereby opening a surface for reentrancy attack, and enables the caller to possibly reenter the function and get paid again because the state change was not done before payment functionality.
Impact
The Ram can steal funds from contract.
Tools Used
Manual
Recommendations
Follow C-E-I Pattern and ensure state changes are made before external interactions. Please consider how this is displayed below:
Lead Judging Commences
Invalid - reentrancy in withdraw
The `withdraw` function sends the given amount to Ram. If the attacker calls the `withdraw` function again before the state variable is changed, the function will revert because there are no more funds in the contract. This reentrancy has no impact for the protocol. It is recommended to follow the CEI pattern, but this is informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.