Closed zajck closed 1 year ago
setAllowlistedFunctions is missing the reentrancy guard, which under certain circumstances allows the attacker to impersonate the admin account and modify the allow list.
setAllowlistedFunctions
https://github.com/bosonprotocol/boson-protocol-contracts/blob/9070c0484634cec7bec793808a43ca20616d889a/contracts/protocol/facets/MetaTransactionsHandlerFacet.sol#L339-L342
Add the reentrancy guard.
Good catch here.
mischat
commented
1 year ago
setAllowlistedFunctionsis missing the reentrancy guard, which under certain circumstances allows the attacker to impersonate the admin account and modify the allow list.https://github.com/bosonprotocol/boson-protocol-contracts/blob/9070c0484634cec7bec793808a43ca20616d889a/contracts/protocol/facets/MetaTransactionsHandlerFacet.sol#L339-L342
Recommendation
Add the reentrancy guard.