Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy in claim reward function

radcet

Summary

An attacker can take all contract's fund after buy a box that have value, using reetrancy vulnerability

Vulnerability Details

  • The function claimAllRewards and claimSingleReward have no protection from reentrancy attack. When a user have buy a box, then try to claim reward using the functions above, there is a line call external function with msg.sender address and after that the mapping update new state for rewardsOwned[msg.sender]

(bool success,) = payable(msg.sender).call{value: totalValue}(""); // @audit reentrancy
require(success, "Transfer failed");
delete rewardsOwned[msg.sender];

The msg.sender maybe a contract and have fallback/receive function that will call the claim function again, and because the mapping is not update, user can continue withdraw to take away all contract's fund.

Impact

Attacker after buy a box have value, can take away all fund of contract

Tools Used

Manual review

Recommendations

  • using CEI pattern to prevent reentrancy

  • using OZ's ReentrancyGuard

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`claimAllRewards` reentrancy

`claimSingleReward` reentrancy

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!