Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect index in InheritanceManager::nonReentrant modifier enables reentrancy attacks

freesultan

Summary

Incorrect index usage in the InheritanceManager::nonReentrant modifier renders the reentrancy protection ineffective, leaving functions that rely on this modifier vulnerable to reentrancy attacks.

Vulnerability Details

The nonReentrant modifier in the InheritanceManager contract incorrectly checks transient storage slot 1 while setting the lock on slot 0:

/**
* @dev gas efficient cross-function reentrancy lock using transient storage
* @notice refer here: https://soliditylang.org/blog/2024/01/26/transient-storage/
*/
modifier nonReentrant() {
assembly {
@> if tload(1) { revert(0, 0) }
tstore(0, 1)
}
_;
assembly {
tstore(0, 0)
}
}

The modifier is intended to prevent reentrancy by checking if a lock is set in transient storage and reverting if it is. However, it checks slot 1 (via tload(1)) while setting and clearing the lock on slot 0 (via tstore(0, 1) and tstore(0, 0)). This mismatch means the reentrancy check does not correspond to the slot being locked, rendering the guard ineffective

Impact

Any function that uses this modifier as a reentrancy guard is vulnerable to reentrancy attack

Tools Used

Manumal code review

Recommendations

Correct the modifier to check slot 0:

modifier nonReentrant() {
assembly {
- if tload(1) { revert(0, 0) }
+ if tload(0) { revert(0, 0) }
tstore(0, 1)
}
_;
assembly {
tstore(0, 0)
}
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong value in nonReentrant modifier

0xtimefliez Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong value in nonReentrant modifier

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.