Submission Details
Severity:
[H-1] Lack of CEI implementation in `TokenDivider::buyOrder()` function allows a malicious contract to re-enterget more erc20 tokens for a buy order.
**Description**
`TokenDivider::buyOrder()` does not user the correct implementation of CEI to protect against re-entrancy attacks. A malicious contract can call `buyOrder` several times by a re-entrancy and potentially getting all the tokens.
Vulnerable part of code:
function buyOrder(uint256 orderIndex, address seller) external payable {
if (seller == address(0)) {
revert TokenDivider__InvalidSeller();
}
SellOrder memory order = s_userToSellOrders[seller][orderIndex];
if (msg.value < order.price) {
revert TokenDivider__IncorrectEtherAmount();
}
uint256 fee = order.price / 100;
uint256 sellerFee = fee / 2;
if (msg.value < order.price + sellerFee) {
revert TokenDivider__InsuficientEtherForFees();
}
balances[msg.sender][order.erc20Address] += order.amount;
s_userToSellOrders[seller][orderIndex] = s_userToSellOrders[seller][
s_userToSellOrders[seller].length - 1
];
s_userToSellOrders[seller].pop();
emit OrderSelled(msg.sender, order.price);
// @audit Can we re-enter?
// Transfer The Ether
(bool success, ) = payable(order.seller).call{
value: (order.price - sellerFee)
}("");
if (!success) {
revert TokenDivider__TransferFailed();
}
(bool taxSuccess, ) = payable(owner()).call{value: fee}("");
if (!taxSuccess) {
revert TokenDivider__TransferFailed();
}
IERC20(order.erc20Address).transfer(msg.sender, order.amount);
}
**Impact**
**Proof of Concepts**
**Recommended mitigation**
Use CEI partern in the `buyOrders` function.
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.