Missing Checks-Effects-Interactions (CEI) Pattern in `Treasury::deposit` Function
Summary
The deposit function updates contract state (_balances and _totalValue) after transferring tokens via IERC20(token).transferFrom. This violates the Checks-Effects-Interactions (CEI) pattern. While the nonReentrant modifier from OpenZeppelin provides some protection against reentrancy, this pattern is still considered a best practice to ensure robustness and mitigate risks from edge cases or future changes.
Vulnerability Details
The vulnerability lies in the following part of the deposit function:
The function performs an external call transferFrom before updating the state _balances and _totalValue. This violates the CEI pattern, which mandates that state changes should occur before any external calls to prevent reentrancy attacks.
Impact
The nonReentrant modifier significantly reduces the risk of reentrancy, but the violation of the CEI pattern introduces a potential risk if the modifier is removed or bypassed in edge cases.
This could lead to inconsistent contract state and incorrect token balances.
Tools Used
Manual Code Review
Recommendations
To mitigate this vulnerability, adhere to the Checks-Effects-Interactions (CEI) pattern by updating the state before making the external call.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.