Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy in buyBackNFT, NFTLiquidator.sol

hawks

Summary

In the buyBackNFT function, state variables are updated after external calls, which creates a reentrancy vulnerability. This could allow an attacker to re-enter the function multiple times before the state updates, leading to potential fund loss.

Vulnerability Details

function buyBackNFT(uint256 tokenId) external payable {
TokenData storage data = tokenData[tokenId];
if (block.timestamp >= data.auctionEndTime) revert AuctionHasEnded();
if (nftContract.ownerOf(tokenId) != address(this)) revert NFTNotInLiquidation();
uint256 price = data.debt * 11 / 10; // 110% of the debt
if (msg.value < price) revert InsufficientPayment(price);
if (data.highestBidder != address(0)) {
payable(data.highestBidder).transfer(data.highestBid);
}
delete tokenData[tokenId];
// Update the state after external call
nftContract.transferFrom(address(this), msg.sender, tokenId);
payable(stabilityPool).transfer(price);
// Update the state after external call
if (msg.value > price) {
payable(msg.sender).transfer(msg.value - price);
}
emit BuybackCompleted(tokenId, msg.sender, price);
}

Impact

The function makes multiple external calls (transfer()) before updating contract state.

  • A malicious contract could use a fallback function to re-enter buyBackNFT executes, allowing them to **trigger multiple transfer **and drain the contract.

Tools Used

Manual review

Recommendations

To fix the issue you can use the nonReentrant modifier and state updates before external calls.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.