Closed code423n4 closed 3 years ago
doTransferIn
is called in 3 functions:
mintFresh
, called by mintInternal
which is protected by nonReentrant
modifierrepayBorrowFresh
, called by repayBorrowInternal
and repayBorrowBehalfInternal
which are protected by nonReentrant
modifier_addReservesFresh
, called by _addReservesInternal
which is protected by nonReentrant
modifierI don't see a way to re-enter.
I'm closing this as not a bug due to @ghoul-sol the fact that all the functions affected are protected by a nonReentrant modifier.
Handle
shw
Vulnerability details
Impact
The
doTransferIn
function in theCErc20
contract transfers the underlying token to the contract itself by callingtransferFrom
. However, if the underlying token supports theERC777
standard, the sender may register a transfer hook at the token contract to get the execution flow whentransferFrom
is called. He could then re-enter some functions in theCToken
contract, such asmintFresh
andrepayBorrowFresh
, which are in an intermediate state, causing unexpected results.Proof of Concept
Referenced code: CErc20.sol#L147 CToken.sol#L530 CToken.sol#L893 CToken.sol#L1262
Tools Used
None
Recommended Mitigation Steps
Add reentrancy guards to critical functions in both
CErc20
andCToken
.