The internal _replaceScope function performs external contract calls while in the middle of clearing and reconstructing the scope state arrays. This violation of the Checks-Effects-Interactions (CEI) pattern introduces potential reentrancy risks and transient state inconsistencies.
When updating the pool's insured scope, the contract clears the previous mapping, deletes _scopeAccounts, and iterates over the new list.
Inside the loop, the contract calls the external agreement contract via IAgreement(agreement).isContractInScope(account). Because this external call occurs before the new elements are completely written to storage, the contract’s state is in a half-constructed transient phase during the external interaction. If the target agreement contract is malicious or behaves dynamically, it can reenter the pool or cause dependent state checks to view an inconsistent scope, breaking the wholesale replacement assumption.
Likelihood:
Occurs whenever the owner updates the pool scope via setPoolScope.
Triggered if the associated agreement executes arbitrary code or callbacks during its isContractInScope execution.
Impact:
Reentrancy vulnerabilities where transient state can be abused to bypass scope checks.
Inconsistent event emissions or state divergence if the call reverts or reenters during scope mutation.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.