msg.sender can make a reentrancy at `sendProfit`
Summary
If msg.sender is a contract with a custom implementation of IERC20.safeTransferFrom, During safeTransferFrom, this malicious contract could re-enter the sendProfit function before the function completes.
When sendProfit calls safeTransferFrom(msg.sender, address(this), amount);, control is temporarily transferred to msg.sender’s safeTransferFrom function. If msg.sender is a malicious contract, it can use this transfer of control to execute a callback function. This callback could then re-enter sendProfit, bypassing any state changes or validations that would typically occur after safeTransferFrom.
Thus manipulating the distribution of profits and potentially inflate the profit-per-token value
##PoC
A malicious contract (acting as
msg.sender) callssendProfit.Inside
sendProfit, thesafeTransferFromfunction is called to transfer tokens frommsg.senderto the contract.Since
msg.senderis a contract, it can include custom code that triggers a callback during thesafeTransferFromexecution.This callback re-enters
sendProfit, causing it to execute its logic multiple times without completing the initial transaction.
Tools Used
Recommendations
Use a nonReentrant modifier
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.