CEI Pattern Not Fully Followed in `contribute` Function
Summary : There is a potential for reentrancy attacks if external calls are made before state updates.
Vulnerability Details : In the contribute function, the Checks-Effects-Interactions (CEI) pattern is not properly implemented. Specifically, it performs interactions (transferring SOL) before updating the state (effects), potentially introducing vulnerabilities. The contribute function does interactions (SOL transfer) before effects (updating fund.amount_raised), violating CEI.
Impact - There is a potential for reentrancy attacks if external calls are made before state updates.
The current order could lead to an inconsistent state if the SOL transfer fails after partial state updates, though in this case, the transfer precedes state changes.
Recommendations
Checks: Validate conditions (e.g.,
deadline,contribution amount).Effects: Update the state (e.g.,
contribution.amount,fund.amount_raised).Interactions: Perform the SOL transfer.
Ensure all state changes occur before any external interactions.
Appeal created
[Invalid] Reentrancy
The reentrancy attacks occur when the contract modifies state and makes an external call, allowing the attacker to reenter. The `contribute` function doesn't perform an external call. For the SOL transfer the function uses a system program, not an external call to another smart contract. Therefore, there is no attack vector for reentrancy.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.