The contract executes external calls (refunds) before updating its state, leaving a window for reentrancy attacks. While the contract uses ReentrancyGuard
, it's crucial to prioritize state updates before any external calls to minimize risk.
Function: trickOrTreat()
, resolveTrick()
Code Reference:
The contract processes refunds via call
before internal state changes, which opens a reentrancy attack window.
An attacker could exploit this by re-entering the function and draining funds, potentially causing significant financial loss to the contract.
Manual Code Review
Move state-changing logic above any external call. For example:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.