Pieces Protocol

Summary: in https://github.com/Cyfrin/2025-01-pieces-protocol/blob/main/src/TokenDivider.sol#L260C1-L264C10 In the buyOrder function, you make an external call to transfer Ether to the seller and then call IERC20(order.erc20Address).transfer(msg.sender, order.amount);. This creates a potential reentrancy attack, where the external call to transfer Ether might trigger a malicious contract to call buyOrder again before the token transfer is complete.

TokenDivider.sol code :function buyOrder(uint256 orderIndex, address seller) external payable {
if(seller == address(0)) {
revert TokenDivider__InvalidSeller();
}

The reentrancy vulnerability in buyOrder poses a significant security risk as it could be exploited to drain funds or manipulate contract behavior, especially since it involves both Ether transfers and token transfers.

Vulnerability Details:The external Ether transfer to the seller occurs before updating the contract's state, allowing reentrancy attacks.

Impact:A malicious contract could exploit this vulnerability to repeatedly call buyOrder, draining the contract's balance or executing unintended actions.

Tools Used :none

Recommendations:**To mitigate this, update the state changes (like removing the order from the seller's list) before making external calls. **

fix code:

// Update state before external call
s_userToSellOrders[seller][orderIndex] = s_userToSellOrders[seller][s_userToSellOrders[seller].length - 1];
s_userToSellOrders[seller].pop();

emit OrderSelled(msg.sender, order.price);

// Transfer The Ether (after state change)
(bool success, ) = payable(order.seller).call{value: (order.price - sellerFee)}("");