search

code-423n4 / 2021-09-wildcredit-findings

0 stars 0 forks source link

`repayAllETH()` The check if amount is valid can be done earlier #78

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LendingPair.sol#L221-L235

function repayAllETH(address _account, uint _maxAmount) external payable nonReentrant {
    _validateToken(address(WETH));
    accrue(address(WETH));

    uint amount = _repayShares(_account, address(WETH), debtSharesOf[address(WETH)][_account]);
    require(msg.value >= amount, "LendingPair: insufficient ETH deposit");
    require(amount <= _maxAmount, "LendingPair: amount <= _maxAmount");

    _depositWeth();
    uint refundAmount = msg.value > amount ? (msg.value - amount) : 0;

    if (refundAmount > 0) {
      _wethWithdrawTo(msg.sender, refundAmount);
    }
  }

Recommendation

Use Checks-Effects-Interactions pattern for all functions.

talegift commented 2 years ago

Dupllcate #49

ghoul-sol commented 2 years ago

it's gas optimization