Submission Details
Severity:
Understanding Reentrancy Attacks manipulate state variable
Summary
when an external contract can repeatedly call back into the vulnerable function before the initial execution is complete. This allows the attacker to manipulate state variables,
Impact
The attacker deploys a contract that calls likeUser.
Within that contract, they implement a fallback function that recursively calls
likeUseragain before the initial call finishes.This could allow the attacker to bypass the
requirechecks and cause incorrect updates to thelikesandmatchesmappings.
Tools Used
manually
Recommendations
import "@openzeppelin/contracts/security/ReentrancyGuard.sol"
contract MyContract is ReentrancyGuard {
function likeUser(address liked) external nonReentrant payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
}
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.