Problem
Functions such as amendSellOrder
, cancelSellOrder
, and buyOrder
interact with external ERC20 contracts via safeTransfer
and safeTransferFrom
.
If a malicious ERC20 token is whitelisted, it could execute a reentrancy attack by calling back into the contract before state changes are finalized.
Chained Risk:
Attackers could combine reentrancy with other vulnerabilities (e.g., fee withdrawal or order amendments) to drain funds or corrupt order state.
Recommended Mitigation:
Use OpenZeppelin’s ReentrancyGuard on all external functions that transfer tokens.
Always update contract state before making any external calls.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.