Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy attack to drain the pool

0x37

Summary

Hackers can reentrance function claimAllRewards or claimSingleReward to drain the pool.

Vulnerability Details

Function claimAllRewards and claimSingleReward aims to claim some native token as the rewards.
The problem is that malicious users can reentrance this function via the receiver's fallback() function. And the actual storage variable rewardsOwned is updated after the reentrancy point.
Hackers can make use of this reentrancy point to drain the whole pool.

function claimAllRewards() public {
uint256 totalValue = 0;
for (uint256 i = 0; i < rewardsOwned[msg.sender].length; i++) {
totalValue += rewardsOwned[msg.sender][i].value;
}
require(totalValue > 0, "No rewards to claim");
@> (bool success,) = payable(msg.sender).call{value: totalValue}("");
require(success, "Transfer failed");
delete rewardsOwned[msg.sender];
}

Impact

Hackers can make use of this reentrancy vulnerability to drain this whole pool.

Tools Used

Manual

Recommendations

Add non-reentracy protection for function claimAllRewards and claimSingleReward.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`claimAllRewards` reentrancy

`claimSingleReward` reentrancy

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!