Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`christmasDinner::nonReentrant` modifier is not implemented correctly

nem0thefinder

Summary

The christmasDinner::nonReentrant modifier is not implemented correctly, leaving the contract vulnerable to reentrancy attacks.

https://github.com/Cyfrin/2024-12-christmas-dinner/blob/9682dcc306db935a2511e1eb8280d17ef01e9004/src/ChristmasDinner.sol#L77

https://github.com/Cyfrin/2024-12-christmas-dinner/blob/9682dcc306db935a2511e1eb8280d17ef01e9004/src/ChristmasDinner.sol#L43

Vulnerability Details

The christmasDinner::nonReentrant modifier is not implemented correctly, leaving the contract vulnerable to reentrancy attacks. While the modifier intends to prevent reentrancy, the locked state variable is reset to false after executing the function logic (_). This implementation fails to adequately lock the function during its execution, as reentrancy protection should ensure the locked state remains true until the function execution is entirely complete.

Impact

  • Vulnerability to Reentrancy Exploits: Functions using this modifier are susceptible to reentrancy attacks, which can allow malicious actors to repeatedly call the function before the first invocation completes.

Tools Used

  • Manual Code Review

  • IDE

Recommendations

  • Update the nonReentrant modifier to set locked = true before the function execution and reset it to false after completion. A correct implementation would look like this:

modifier nonReentrant() {
require(!locked, "No re-entrancy");
+ locked = true; // Lock the function before execution
_;
locked = false; // Unlock the function after execution
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

mutex lock incomplete

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!