Reentrancy Risk in Dex Swaps
Summary
The _doDexSwap function in PerpetualVault.sol interacts with external contracts (ParaSwap) without proper reentrancy guards, risking recursive calls that could manipulate the contract’s state.
https://github.com/CodeHawks-Contests/2025-02-gamma/blob/e5b98627a4c965e203dbb616a5f43ec194e7631a/contracts/PerpetualVault.sol#L1040
https://github.com/CodeHawks-Contests/2025-02-gamma/blob/e5b98627a4c965e203dbb616a5f43ec194e7631a/contracts/PerpetualVault.sol#L1041
Vulnerability Details
Faulty Code Snippet:
External Call Risk: The ParaSwapUtils.swap function makes a low-level .call() to an external address (to). If to is malicious, it can reenter the PerpetualVault before outputAmount is calculated or state changes are finalized.
Violates Checks-Effects-Interactions Pattern: The external interaction happens before state updates, leaving the contract vulnerable to state manipulation.
Example Attack Scenario
Malicious Token Contract: A fake token’s transfer function calls back into PerpetualVault.withdraw during the swap.
Reentrancy Exploit: The attacker’s withdraw executes before outputAmount is finalized, allowing double-spending or fund theft.
Impact
Fund Drain: Attackers can withdraw funds multiple times in a single transaction.
State Corruption: Intermediate calculations (e.g. outputAmount) will reflect incorrect balances.
Tools Used
Manual review, static analysis
Recommendations
Apply Reentrancy Guard: Use the nonReentrant modifier from ReentrancyGuardUpgradeable on _doDexSwap.
Verification
Test Case 1 (Legitimate Swap):
User swaps 100 USDC for ETH via ParaSwap.
nonReentrant blocks recursive calls, ensuring outputAmount is calculated once.
Test Case 2 (Malicious Reentrancy):
Attacker deploys a token that calls withdraw during ParaSwapUtils.swap.
nonReentrant reverts the second call, preventing fund theft.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.