First Flight #21: KittyFi
First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy in whiskdrawMeowllateral function

pro_king

Description

The KittyPool::whiskdrawMeowllateral function does not follow the Checks-Effects-Interactions (CEI) pattern, which exposes it to potential reentrancy attacks. In the current implementation, an external call to KittyVault::executeWhiskdrawal is made before validating the user's collateral with a require statement.

```javascript
function whiskdrawMeowllateral(address _token, uint256 _ameownt) external tokenExists(_token) {
@> IKittyVault(tokenToVault[_token]).executeWhiskdrawal(msg.sender, _ameownt);
require(_hasEnoughMeowllateral(msg.sender), KittyPool__NotEnoughMeowllateralPurrrr());
}
```

Impact

Not adhering to the CEI pattern could allow a malicious actor to exploit the reentrancy vulnerability, potentially draining the contract balance and causing loss of user collaterals.

Tools Used: Manual Review

Recommendations

To mitigate the risk of a reentrancy attack, follow the Checks-Effects-Interactions pattern by first performing all necessary checks, then updating the state, and finally making external calls. Here’s the corrected version of the whiskdrawMeowllateral function:

function whiskdrawMeowllateral(address _token, uint256 _ameownt) external tokenExists(_token) {
// Check
require(_hasEnoughMeowllateral(msg.sender), KittyPool__NotEnoughMeowllateralPurrrr());
// Interactions
IKittyVault(tokenToVault[_token]).executeWhiskdrawal(msg.sender, _ameownt);
// No state changes after external calls to follow CEI pattern
}
Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.