Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Reentrancy Risk in buy Function

ibukunola

Summary

The buy() function calls usdc.transferFrom() before updating state variables like totalRemaining, violating the checks-effects-interactions pattern. This opens a slim reentrancy window where a malicious businessAddress could buy extra ZENO before the supply updates. Though low-likelihood with standard USDC, the medium-impact risk warrants caution.

Vulnerability Details

The buy() function transfers USDC to businessAddress before updating totalRemaining, lastBidTime, or lastBidder. If businessAddress is a contract, it could re-enter buy() during transferFrom(). Example:

businessAddress re-enters buy() before totalRemaining decreases.
It buys additional ZENO, exceeding the intended supply limit.
While USDC lacks hooks, a custom token or malicious recipient could exploit this.

Impact

An attacker could acquire more ZENO than allowed, disrupting the auction’s fairness and supply constraints—a medium-impact issue. The likelihood is low with standard USDC and a trusted businessAddress, but the risk grows if these assumptions change, making it a future-proofing concern.

Tools Used

Manual Code Review: To spot the interaction-before-effects sequence.

Recommendations

Update state before the external call:

state.totalRemaining -= amount;
state.lastBidTime = block.timestamp;
state.lastBidder = msg.sender;
require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");```
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.