Pieces Protocol
First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Vulnerability in `buyOrder` function

bigdexter

Summary

The buyOrderfunction on ln. 261 exposes the contract to reentrancy vulnerability due to the absence of a "checks-effects-interactions" in the contract.

Vulnerability Details

This buyOrderfunction makes external calls to the seller and the contract owner using call. If either the seller or owner is a malicious or ill-intentioned contract, they could re-enter the contract before state changes/updates are finalized and concluded

Impact

A bad actor/an attacker could re-enter this function and be able to manipulate the number of orders before contract completion/finalization

Tools Used

Manual code review

Recommendations

Use and implement a reentrancy guard using the ReentrancyGuardlibrary from OpenZeppelin to prevent reentrancy.

In addition to implementing the ReentrancyGuardlibrary, use the "checks-effects-interactions" to:

  1. Check conditions and update contract state, and

  2. Perform external interactions as the final step.

Updates

Lead Judging Commences

fishy Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Reentrancy

Appeal created

fishy Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.