Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: high
Invalid

potencial reentrancy

Summary

Vulnerability Details

https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol#L66

the withdraw function allows users that are authorized to withdraw a specific amount. but there is a reentrancy issue in this function

Impact

since the state was not updated before making an external call this function is vulnurable to reetrancy attack

If the withdraw function of splitters[msg.sender] makes a callback to this contract (e.g., calling withdraw again before the state is updated), a reentrancy attack could drain the funds of the contract before it has the chance to properly update its state.

Since the internal state (such as balances) is not updated prior to the external call, a reentrancy attack can drain funds by repeatedly calling withdraw before the original function execution completes.

Tools Used

manual review

Recommendations

a non reentrant modifier should be added

function withdraw(uint256 _amount) external nonReentrant {

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.