Reentrancy Attacks : Gas consumption during a reentrancy attack on the distributeRewards() function can lead to significant problems
Summary
In the RewardsPoolWSD::distributeRewards , the transferAndCall function is used, which means that there is a possibility of re-entry attacks. However, due to the use of CEI, the possibility of a serious problem is low, but there are problems related to the block gas limit.
Vulnerability Details
Reentrancy is one of the most significant threats to contracts using 'TransferAndCall'.
Failing to check the success of external calls can lead to vulnerabilities
An attacker could create a malicious contract that consumes all gas, causing transactions to fail due to running out of gas.
This could lock funds in contracts using 'TransferAndCall' if they don't properly handle failed calls.
Impact
This could lock funds in contracts using 'TransferAndCall' if they don't properly handle failed calls.
Tools Used
Recommendations
Consistently apply
SafeERC20throughout the contract for all ERC20 interactions.When using
transferAndCall(), ensure you're using the safe version provided by OpenZeppelin (safeTransferAndCall()).Always check the return value of token transfers, especially for non-standard compliant tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.