Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

Reentrancy Attack Risk

Summary

The contract executes external calls (refunds) before updating its state, leaving a window for reentrancy attacks. While the contract uses ReentrancyGuard, it's crucial to prioritize state updates before any external calls to minimize risk.

Vulnerability Details

  • Function: trickOrTreat(), resolveTrick()

  • Code Reference:

(bool refundSuccess,) = msg.sender.call{value: refund}("");
require(refundSuccess, "Refund failed");

The contract processes refunds via call before internal state changes, which opens a reentrancy attack window.

Impact

An attacker could exploit this by re-entering the function and draining funds, potentially causing significant financial loss to the contract.

Tools Used

Manual Code Review

Recommendations

Move state-changing logic above any external call. For example:

// Move state updates before making external calls
nextTokenId += 1; // State update
(bool refundSuccess,) = msg.sender.call{value: refund}(""); // External call
require(refundSuccess, "Refund failed");
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.