Reentrancy during Bounty withdrawal

[code423n4]

Handle

0xsanson

Vulnerability details

Impact

In Auction.settleAuction, the auctionBonder can withdraw some bounty tokens from the contract. Since these can be any tokens, the bonder can donate his special """token""" first, then call settleAuction: at the line withdrawBounty(bountyIDs) the execution is passed to their custom contract. A re-entrancy here is also possible since auctionOngoing and hasBonded are modified only at the end of the function. I don't see how this can cause any issue at the moment, but if in the future this contract and Basket.sol are upgraded it's better to play safe and mitigate possible issues now.

Proof of Concept

https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Auction.sol#L102

Tools Used

editor

Recommended Mitigation Steps

Consider moving auctionOngoing = false and hasBonded = false before any uncontrolled external contract call.

[frank-beard]

https://github.com/code-423n4/2021-09-defiprotocol-findings/issues/31

[GalloDaSballo]

Duplicate of #270