Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of re-entrancy protection when claiming fees

ifexx445

Summary

The claimFees function in CreditDelegationBranch.sol (line 284) lacks reentrancy protection. This function transfers WETH to the caller without safeguarding against reentrant calls, potentially exposing the protocol to reentrancy attacks. A malicious actor could repeatedly call this function to drain the protocol's WETH reserves before their state is updated.

Vulnerability Details

function claimFees(uint128 vaultId) external {

// load the vault data storage pointer

Vault.Data storage vault = Vault.load(vaultId);

// get the actor id

bytes32 actorId = bytes32(uint256(uint160(msg.sender)));

// reverts if the actor has no shares

if (vault.wethRewardDistribution.actor[actorId].shares == 0) revert Errors.NoSharesAvailable();

// get the claimable amount of fees

UD60x18 amountToClaimX18 = vault.wethRewardDistribution.getActorValueChange(actorId).intoUD60x18();

// reverts if the claimable amount is 0

if (amountToClaimX18.isZero()) revert Errors.NoFeesToClaim();

vault.wethRewardDistribution.accumulateActor(actorId);

// weth address

address weth = MarketMakingEngineConfiguration.load().weth;

// load the weth collateral data storage pointer

Collateral.Data storage wethCollateral = Collateral.load(weth);

// convert the amount to claim to weth amount

uint256 amountToClaim = wethCollateral.convertUd60x18ToTokenAmount(amountToClaimX18);

// transfer the amount to the claimer

IERC20(weth).safeTransfer(msg.sender, amountToClaim);

// emit event to log the amount claimed

emit LogClaimFees(msg.sender, vaultId, amountToClaim);

}

As we can see it lacks a non-reentrant modifier so when the function calls back the remaining amount to claim can be stolen

Impact

Users’ claimable WETH could be stolen, resulting in loss of funds and diminished trust in the protocol.

Recommendations

Add a non-reentrant modifier

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.