Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Reentrancy Attack

kibo

Summary

The SpookySwap contract implements a reentrancy guard to prevent reentrant calls. However, potential vulnerabilities still exist in specific scenarios where the guard might not be effective or where state changes occur before external calls. This could allow an attacker to exploit the contract through a reentrancy attack, potentially resulting in the unauthorized minting of NFTs or theft of funds.

Vulnerability Details

The contract uses the nonReentrant modifier from the ReentrancyGuard library in key functions like trickOrTreat and resolveTrick. However, if there are any functions that bypass this protection or if the internal logic allows for a state change before an external call, an attacker could exploit this vulnerability.

Proof of Concept (POC)

Setup:
- Deploy the SpookySwap contract on a test network.
- Create a malicious contract (let's call it Attacker) that interacts with SpookySwap to exploit the reentrancy vulnerability.
Malicious Contract Code:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;

interface ISpookySwap {
function trickOrTreat(string memory _treatName) external payable;
function resolveTrick(uint256 tokenId) external payable;
}

contract Attacker {
ISpookySwap public spookySwap;
uint256 public targetTokenId;

constructor(address _spookySwap) {
spookySwap = ISpookySwap(_spookySwap);
}

function attack(string memory _treatName) external payable {
// Call trickOrTreat to trigger the minting process
spookySwap.trickOrTreat{value: msg.value}(_treatName);
}

// Fallback function to exploit reentrancy
fallback() external payable {
if (targetTokenId == 0) {
// Store the tokenId of the pending NFT
targetTokenId = ...; // Retrieve this from the state or logs (not shown)
// Call resolveTrick to complete the purchase and potentially mint again
spookySwap.resolveTrick{value: msg.value}(targetTokenId);
}
}
}
Execution:
- The attacker deploys the Attacker contract and calls the attack function, initiating a purchase through trickOrTreat.
- During the execution, the fallback function of the Attacker contract is triggered, allowing the attacker to recursively call resolveTrick before the initial call completes, exploiting the state changes.

Impact

If successfully exploited, a reentrancy attack can lead to:

Unauthorized Minting: The attacker could mint multiple NFTs by recursively invoking the resolveTrick function, resulting in significant losses to the contract.
Financial Loss: The attacker can drain the contract of ETH by repeatedly exploiting the refund mechanism, leading to significant financial damage to the contract owner and users.
Loss of Trust: Such vulnerabilities can undermine user trust in the contract and its deployment, leading to reputational damage for developers and stakeholders.

Conclusion

The potential for reentrancy attacks, even with protective measures in place, highlights the necessity for careful consideration of the contract’s state management and external calls. Continuous audits and thorough testing are essential to ensure the security of smart contracts in a web3 environment.

Updates

Appeal created

bube Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.