Submission Details
Severity:
Reentrency in multiple functions
Summary
User can drain all the funds from the contracts
Vulnerability Details
When a smart contract interacts with an external contract without updating its state first, an attacker can repeatedly call the contract, leading to unintended outcomes, like draining funds. The flaw arises from failing to manage contract state properly before external interactions.
Impact
Reentrancy attacks can result in significant financial loss, manipulation of contract logic, and undermine trust in decentralized applications, potentially leading to drained contract balances.
Tools Used
Foundry , manual analysis , vs code
Recommendations
function claimAllRewards() public {
uint256 totalValue = 0;
for (uint256 i = 0; i < rewardsOwned[msg.sender].length; i++) {
totalValue += rewardsOwned[msg.sender][i].value;
}
require(totalValue > 0, "No rewards to claim");
+ delete rewardsOwned[msg.sender];
(bool success,) = payable(msg.sender).call{value: totalValue}("");
require(success, "Transfer failed");
- delete rewardsOwned[msg.sender];
}
function claimSingleReward(uint256 _index) public {
require(_index <= rewardsOwned[msg.sender].length, "Invalid index");
uint256 value = rewardsOwned[msg.sender][_index].value;
require(value > 0, "No reward to claim");
+ delete rewardsOwned[msg.sender][_index];
(bool success,) = payable(msg.sender).call{value: value}("");
require(success, "Transfer failed");
- delete rewardsOwned[msg.sender][_index];
}
Updates
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
`claimAllRewards` reentrancy
`claimSingleReward` reentrancy
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.