Root + Impact

[L-7] - Use OpenZeppelin’s nonReentrant modifier to Avoid Reentrancy Risk.

Description

There are several functions in the BidBeastsNFTMarket contract that are vulnerable to reentrancy risks. In order to avoid any reentrancy issues, we should use the nonReentrant modifier provided by OpenZeppelin ReentrancyGuard. This modifier can be used to prevent functions from being called multiple times within a short period of time.

Risk

Likelihood: Low.

Impact: Low.

Proof of Concept

The following functions make use of the _payout or _executeSale functions without the nonReentrant modifier. This can lead to reentrancy attacks, where an attacker can call the function multiple times before it has completed its execution.

• listNFT()

• placeBid()

• settleAuction()

• takeHighestBid()

• unlistNFT()

• withdrawAllFailedCredits()

• withdrawFee()

Recommended Mitigation

Review all external and public functions in the BidBeastsNFTMarket contract and apply the nonReentrant modifier to functions that involve state changes, external calls, or transfers of Ether or tokens. This ensures protection against reentrancy attacks.

Here is an example of how you can add a nonReentrant modifier to the placeBid function: