Reentrancy Vulnerability in _withdrawFromEscrow Function of StarklaneEscrow Contract
Summary
The StarklaneEscrow contract allows withdrawals of NFTs through the _withdrawFromEscrow function. However, due to improper state management, an attacker can exploit the contract by using a reentrancy attack, enabling them to withdraw the same NFT multiple times.
Vulnerability Details
The vulnerability exists because the contract's state is not updated before the external call to transfer the NFT. This allows the attacker to re-enter the contract through the fallback function and repeatedly call _withdrawFromEscrow to transfer the same NFT multiple times.
Impact
An attacker can drain the NFT assets from the escrow contract, potentially causing significant financial losses and rendering the contract unusable for its intended purpose.
Tools Used
Manual Review
Recommendations
Implement the Checks-Effects-Interactions Pattern: Update the contract's state before making any external calls to prevent reentrancy attacks.
Use Reentrancy Guard: Apply the
nonReentrantmodifier from OpenZeppelin'sReentrancyGuardto the_withdrawFromEscrowfunction to prevent reentrant calls.
Lead Judging Commences
finding-withdraw-reentrancy-creates-unbridgeable-tokens
Impact: - NFT already bridged won’t be bridgeable anymore without being stuck. Likelyhood: Low. - Attackers will corrupt their own tokens, deploying a risky contract interacting with an upgradable proxy. They have to buy and sell them without real benefits, except being mean. Some really specific and rare scenario can also trigger that bug.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.