Non-Atomic Transactions in DeliveryPlace.sol
Summary
Transfers are performed before state updates which can lead to re-entrancy attacks and other unpredictable behaviors if an exception is thrown. This is because Solidity aims to be a "fail-safe" language, which means when an exception is thrown, all changes to the state from the current function call and all its sub-calls are reverted, apart from the payment of the gas fee. This aim to be fail-safe leads to interesting behaviors in the presence of re-entrancy attacks and related vulnerabilities.
Vulnerability Details
In DeliveryPlace.sol, functions closeBidOffer, closeBidTaker, settleAskMaker, and settleAskTaker update token balances before updating the contract states. This implies that in the event of a re-entrancy attack, the token balances could be manipulated while the contract state remains as is.
For example:
Above is an example of the affected code where token balance is added before updating the stock status.
Impact
the token balances could be manipulated while the contract state remains as is.
Tools Used
manual review
Recommendations
To remedy these findings, it's recommended to:
Always follow the Checks-Effects-Interactions Pattern to make your contract invulnerable to re-entrancy attacks and maintain state consistency.
Update any affected state variables before performing any transfer of tokens.
Consider making use of the re-entrancy guard modifier provided by OpenZeppelin's
ReentrancyGuardcontract if necessary.
Lead Judging Commences
[invalid] finding-PreMarkets-reentrancy
Invalid, all [vague generalities](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#vague-generalities) talking about possible reentrancies 11and afaik, reentrancy is not possible and not proven.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.