Potential reentrancy caused by the `doTransferIn` function of the `CErc20` contract.

[code423n4]

Handle

shw

Vulnerability details

Impact

The doTransferIn function in the CErc20 contract transfers the underlying token to the contract itself by calling transferFrom. However, if the underlying token supports the ERC777 standard, the sender may register a transfer hook at the token contract to get the execution flow when transferFrom is called. He could then re-enter some functions in the CToken contract, such as mintFresh and repayBorrowFresh, which are in an intermediate state, causing unexpected results.

Proof of Concept

Referenced code: CErc20.sol#L147 CToken.sol#L530 CToken.sol#L893 CToken.sol#L1262

Tools Used

None

Recommended Mitigation Steps

Add reentrancy guards to critical functions in both CErc20 and CToken.

[ghoul-sol]

doTransferIn is called in 3 functions:

• mintFresh, called by mintInternal which is protected by nonReentrant modifier
• repayBorrowFresh, called by repayBorrowInternal and repayBorrowBehalfInternal which are protected by nonReentrant modifier
• _addReservesFresh, called by _addReservesInternal which is protected by nonReentrant modifier

I don't see a way to re-enter.

[cemozerr]

I'm closing this as not a bug due to @ghoul-sol the fact that all the functions affected are protected by a nonReentrant modifier.