Submission Details
Severity:
TokenManager::withdraw function implements the line `IWrappedNativeToken(wrappedNativeToken).withdraw(claimAbleAmount)` that introduces a reentrancy risk.
Summary
TokenManager::withdraw function implements the line IWrappedNativeToken(wrappedNativeToken).withdraw(claimAbleAmount) that makes an external call to the deposit function of a wrapped native token contract. This external call introduces a reentrancy risk.
Vulnerability Details
function withdraw( //@audit : reentrancy
address _tokenAddress,
TokenBalanceType _tokenBalanceType
) external whenNotPaused {
uint256 claimAbleAmount = userTokenBalanceMap[_msgSender()][
_tokenAddress
][_tokenBalanceType];
if (claimAbleAmount == 0) {
return;
}
address capitalPoolAddr = tadleFactory.relatedContracts(
RelatedContractLibraries.CAPITAL_POOL
);
if (_tokenAddress == wrappedNativeToken) {
/**
* @dev token is native token
* @dev transfer from capital pool to msg sender
* @dev withdraw native token to token manager contract
* @dev transfer native token to msg sender
*/
_transfer(
wrappedNativeToken,
capitalPoolAddr,
address(this),
claimAbleAmount,
capitalPoolAddr
);
@> IWrappedNativeToken(wrappedNativeToken).withdraw(claimAbleAmount); //@audit external call
@> payable(msg.sender).transfer(claimAbleAmount); //@audit
} else {
/**
* @dev token is ERC20 token
* @dev transfer from capital pool to msg sender
*/
_safe_transfer_from(
_tokenAddress,
capitalPoolAddr,
_msgSender(),
claimAbleAmount
);
}
emit Withdraw(
_msgSender(),
_tokenAddress,
_tokenBalanceType,
claimAbleAmount
);
}
Impact
exposes the protocol to reentrancy attack
Tools Used
manual review
Recommendations
To prevent this, you can implement a reentrancy guard:
Prize pool breakdown
Total prize
27,750 USDC
nSLOC
1,22923
USDC / LOC
25,000 USDC
2,750 USDC
2,250 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.