Submission Details
Severity:
Lack of Reentrancy Protection in closePot Function
Summary
The closePot function in Pot.sol does not have the nonReentrant modifier
Vulnerability Details
The closePot function in Pot.sol does not use the nonReentrant modifier, which makes it susceptible to reentrancy attacks. This lack of protection allows the function to be executed multiple times in quick succession, even after the 91-day period has elapsed.
function closePot() external onlyOwner {
....
}
Impact
Since it lacks the nonReentrant modifier, the function is exposed to potential reentrancy attacks.
Tools Used
Unit Tests
function testCanCloseContest() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), 4);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
vm.startPrank(player2);
Pot(contest).claimCut();
vm.stopPrank();
vm.warp(block.timestamp + 91 days);
vm.startPrank(user);
ContestManager(conMan).closeContest(contest);
ContestManager(conMan).closeContest(contest);
ContestManager(conMan).closeContest(contest);
vm.stopPrank();
}
Recommendations
Add the nonReentrant modifier to the depositMany function to ensure that reentrancy is not possible.
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.