Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy in `PerpetualVault.sol::_cancelFlow()`

glitchunter

Summary

PerpetualVault.sol::_cancelFlow()
The _cancelFlow() function in PerpetualVault.sol performs external token transfers before updating the state. This creates a reentrancy vulnerability that attackers could exploit to withdraw funds multiple times.

Vulnerability Details

collateralToken.safeTransfer(depositInfo[depositId].owner, depositInfo[depositId].amount);
delete depositInfo[depositId];

safeTransfer() is called before delete depositInfo[depositId], allowing an attacker to reenter the contract and manipulate depositInfo before deletion.

Impact

  • POC

contract ReentrancyAttacker {
PerpetualVault vault;
constructor(address _vault) {
vault = PerpetualVault(_vault);
}
function attack(uint256 depositId) external {
vault.cancelFlow(depositId);
// Reenter before state updates, causing multiple withdrawals
}
}

The attacker could call cancelFlow() repeatedly before state variables are updated, draining the vault.

  • Fund Theft: Attackers can withdraw more than they are entitled to.

  • Denial of Service: Reentrancy attacks could lock the contract and prevent legitimate withdrawals.

Tools Used

Manual Review

Recommendations

  • Use Reentrancy Guard (nonReentrant)

  • Apply Checks-Effects-Interactions Pattern

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!