Error in `ChristmasDinner::nonReentrant()` modifier
Summary
There is an error in ChristmasDinner::nonReentrant() modifier. The modifier does not lock contract from reentrancy.
Vulnerability Details & Impact
The ChristmasDinner::nonReentrant() checks if the contract is locked and than execute the code instead first locking the contract for reentrancy. Since the only function that uses this modifier i.e. ChristmasDinner::_refundETH() function uses transfer(), which limits the gas spending to 2300, to send ETH, the reentrancy attack is mitigated now. Hence I marked it as medium risk. But the _refundETH function is not inherently safe, even though the transfer method restricts the gas sent to 2300. The Ethereum network's gas requirements for operations have changed in the past (eg. December 2019 Istanbul Hard Fork), and they could change again in the future. For instance, if storage operations (or fallback execution) become cheaper, a previously "safe" gas limit may no longer protect against reentrancy.
Tools Used
Manual review (see the code below):
Recommendations
Simply add the following line of code as shown below:
Lead Judging Commences
mutex lock incomplete
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.