Clearwood
commented
3 years ago We do not believe the functions to need this flag as at the end the virtual balance is compared to the actual balance
Closed code423n4 closed 3 years ago
Clearwood
commented
3 years ago We do not believe the functions to need this flag as at the end the virtual balance is compared to the actual balance
ghoul-sol
commented
3 years ago Given the that no exploit was actually found and sponsor comment I'm making this invalid.
Handle
gpersoon
Vulnerability details
Impact
The function commitEth of Crowdsale.sol is nonReentrant. However the commitEth functions of the other auction contracts don't have this keyword.
Assuming the nonReentrant is important, it should also be added in the other contracts
Proof of Concept
https://github.com/sushiswap/miso/blob/master/contracts/Auctions/Crowdsale.sol#L223 function commitEth(address payable _beneficiary, bool readAndAgreedToMarketParticipationAgreement ) public payable nonReentrant {
https://github.com/sushiswap/miso/blob/master/contracts/Auctions/BatchAuction.sol#L190 function commitEth(address payable _beneficiary, bool readAndAgreedToMarketParticipationAgreement) public payable {
https://github.com/sushiswap/miso/blob/master/contracts/Auctions/DutchAuction.sol#L261
function commitEth(address payable _beneficiary,bool readAndAgreedToMarketParticipationAgreement) public payable {
https://github.com/sushiswap/miso/blob/master/contracts/Auctions/HyperbolicAuction.sol#L265 function commitEth(address payable _beneficiary,bool readAndAgreedToMarketParticipationAgreement) public payable {
Tools Used
Recommended Mitigation Steps
Add nonReentrant to all the commitEth functions