Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Reentrancy Vulnerability in `_refundETH` Function

shrxyeh

Summary

The _refundETH function transfers ETH to the user before updating their balance to zero. This creates a reentrancy vulnerability because the external call _to.transfer(refundValue) allows the recipient to re-enter the contract before their balance is set to zero. Additionally, the use of .transfer has a fixed gas limit of 2300, which can cause transactions to fail if more gas is required.

Vulnerability Details

The _refundETH function transfers ETH to the user before updating their balance to zero, introducing a reentrancy vulnerability. The external call to _to.transfer(refundValue) allows the recipient to re-enter the contract and call refund() again before their balance is reset. This can lead to an attacker repeatedly draining ETH from the contract. Additionally, the use of .transfer has a fixed gas limit, which could cause transactions to fail if more gas is required.

function _refundETH(address payable _to) internal {

uint256 refundValue = etherBalance[_to];

_to.transfer(refundValue);

etherBalance[_to] = 0;

}

Impact

Attackers can re-enter the contract and repeatedly call refund(), draining the ETH balance.
This can lead to complete depletion of ETH in the contract.
The vulnerability is severe and can cause significant financial loss if exploited.

Tools Used

Foundry

Recommendations

function _refundETH(address payable _to) internal {

uint256 refundValue = etherBalance[_to];

etherBalance[_to] = 0; // Update balance before external call

(bool success, ) = _to.call{value: refundValue}("");

require(success, "ETH Transfer Failed");

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

shrxyeh Submitter

about 1 year ago

0xtimefliez Lead Judge

about 1 year ago

shrxyeh Submitter

about 1 year ago

0xtimefliez Lead Judge

about 1 year ago

0xtimefliez Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

mutex lock incomplete

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!