Pieces Protocol
First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Vulnerability in `buyOrder` function

bigdexter

Summary

The buyOrderfunction on ln. 261 exposes the contract to reentrancy vulnerability due to the absence of a "checks-effects-interactions" in the contract.

Vulnerability Details

This buyOrderfunction makes external calls to the seller and the contract owner using call. If either the seller or owner is a malicious or ill-intentioned contract, they could re-enter the contract before state changes/updates are finalized and concluded

Impact

A bad actor/an attacker could re-enter this function and be able to manipulate the number of orders before contract completion/finalization

Tools Used

Manual code review

Recommendations

Use and implement a reentrancy guard using the ReentrancyGuardlibrary from OpenZeppelin to prevent reentrancy.

In addition to implementing the ReentrancyGuardlibrary, use the "checks-effects-interactions" to:

  1. Check conditions and update contract state, and

  2. Perform external interactions as the final step.

Updates

Lead Judging Commences

fishy Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Reentrancy

Appeal created

fishy Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.