Closed zajck closed 1 year ago
setAllowlistedFunctions is missing the reentrancy guard, which under certain circumstances allows the attacker to impersonate the admin account and modify the allow list.
setAllowlistedFunctions
https://github.com/bosonprotocol/boson-protocol-contracts/blob/9070c0484634cec7bec793808a43ca20616d889a/contracts/protocol/facets/MetaTransactionsHandlerFacet.sol#L339-L342
Add the reentrancy guard.
Good catch here.
setAllowlistedFunctions
is missing the reentrancy guard, which under certain circumstances allows the attacker to impersonate the admin account and modify the allow list.https://github.com/bosonprotocol/boson-protocol-contracts/blob/9070c0484634cec7bec793808a43ca20616d889a/contracts/protocol/facets/MetaTransactionsHandlerFacet.sol#L339-L342
Recommendation
Add the reentrancy guard.