First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy in ThePredicter::cancelRegistration() function which involves Using call to transfer funds to msg.sender

Caesar

Relevant GitHub Links

https://github.com/Cyfrin/2024-07-the-predicter/blob/main/src/ThePredicter.sol#L62-L70

Summary

If the cancelRegistration function is exploited, an attacker might repeatedly withdraw funds. using this

(bool success, ) = msg.sender.call{value: entranceFee}("");

This is vulnerable to reentrancy attacks because the state change occurs after the fund transfer.

Vulnerability Details

Using call for transferring Ether is generally safe if you ensure the transaction reverts properly. However, it is prone to reentrancy attacks.

function cancelRegistration() public {
if (playersStatus[msg.sender] == Status.Pending) {
(bool success, ) = msg.sender.call{value: entranceFee}("");
require(success, "Failed to withdraw");
playersStatus[msg.sender] = Status.Canceled;
return;
}
revert ThePredicter__NotEligibleForWithdraw();
}

Impact

If the cancelRegistration function is exploited, an attacker might repeatedly withdraw funds.

Tools Used

Manual

Recommendations

Reentrancy guard modifiers should be placed on the cancelRegistration and all other important protocol functions to prevent devastating attacks.

Updates

Lead Judging Commences

NightHawK Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Reentrancy in cancelRegistration

Reentrancy of ThePredicter::cancelRegistration allows a maliciour user to drain all funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.