Submission Details
Severity:
The _refundERC20 function does not follow the Checks-Effects-Interactions (CEI) pattern.
Summary
The primary goal of the _refundERC20 function is to refund ERC20 tokens to a specified address.
Vulnerability Details
Function not follow the CEI pattern.
Impact
Incorrect balance for ERC20 tokens. It is noted that this function is used in the refund function, but the refund function has an incorrect implementation for reentrancy. Alternatively, it could be used in a different function without this modifier and it is field for futher attacks.
Tools Used
manual review
Recommendations
Please consider change _refundERC20function.
function _refundERC20(address _to) internal {
uint256 wethBalance = balances[_to][address(i_WETH)];
uint256 wbtcBalance = balances[_to][address(i_WBTC)];
uint256 usdcBalance = balances[_to][address(i_USDC)];
balances[_to][address(i_WETH)] = 0;
balances[_to][address(i_WBTC)] = 0;
balances[_to][address(i_USDC)] = 0;
i_WETH.safeTransfer(_to, wethBalance);
i_WBTC.safeTransfer(_to, wbtcBalance);
i_USDC.safeTransfer(_to, usdcBalance);
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.