First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy attack via `ThePredicter::cancelRegistration` to drain fund fees

soupy

Summary

Vulnerability found in function ThePredicter::cancelRegistration where reentrancy attack could occur resulting fund fees get drained.

Vulnerability Details

Function ThePredicter::cancelRegistration allows users who are not chosen as player to cancel their registration and withdraw their paid entrance fees.

function cancelRegistration() public {
if (playersStatus[msg.sender] == Status.Pending) {
//@audit-high: reentrancey attack risk, should follow CEI flow
(bool success, ) = msg.sender.call{value: entranceFee}("");
require(success, "Failed to withdraw");
playersStatus[msg.sender] = Status.Canceled;
return;
}
revert ThePredicter__NotEligibleForWithdraw();
}

However, the function implements an external call to withdraw entrance fee before doing a global state update on the playerStatus, thus creating a reentrancy attack possibility

Impact

Reentrancy attack that could result the loss of fund fees

Tools Used

Manual review

Recommendations

To update global state of playerStatus before making external call

function cancelRegistration() public {
if (playersStatus[msg.sender] == Status.Pending) {
+ playersStatus[msg.sender] = Status.Canceled;
(bool success, ) = msg.sender.call{value: entranceFee}("");
require(success, "Failed to withdraw");
- playersStatus[msg.sender] = Status.Canceled;
return;
}
revert ThePredicter__NotEligibleForWithdraw();
}
Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Reentrancy in cancelRegistration

Reentrancy of ThePredicter::cancelRegistration allows a maliciour user to drain all funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.