Attacker can drain vault funds by reentering `redeem()`
Summary
The redeem function is vulnerable to a reentrancy attack due to the external call via IERC4626(indexToken).redeem() before updating the state of the withdrawal request. An attacker can exploit this by reentering the function before the state is updated, potentially allowing them to redeem the same shares multiple times.
Affected code:
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/market-making/branches/VaultRouterBranch.sol#L486C3-L570C6
Vulnerability Details
the function redeem() makes an external call IERC4626(indexToken).redeem before marking the withdrawal request as fulfilled (withdrawalRequest.fulfilled = true). If the user is a malicious contract, it can call back into the redeem function via a fallback function before the state is updated, allowing him to redeem the same shares multiple times.
Impact
Attacker can drain the vault by repeadly redeeming the same shares.
Tools Used
Manual Review
Recommendations
Use a reentrant modifier to prevent reentrant calls.
Updated code:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.