search

code-423n4 / 2022-01-openleverage-findings

0 stars 0 forks source link

Multiple potential reentrancies #270

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

0v3rf10w

Vulnerability details

Impact

Reentrancy possibilities at multiple places.

Proof of Concept

Reentrancy in FarmingPools.exit(address) (contracts/farming/FarmingPools.sol#111-114):

        External calls:
        - withdraw(stakeToken,rewards[stakeToken][msg.sender].stakes) (contracts/farming/FarmingPools.sol#112)
        - getReward(stakeToken) (contracts/farming/FarmingPools.sol#113)

        State variables written after the call(s):
        - getReward(stakeToken) (contracts/farming/FarmingPools.sol#113)
                - distributions[stakeToken].rewardPerTokenStored = rewardPerTokenStored (contracts/farming/FarmingPools.sol#59)
                - distributions[stakeToken].lastUpdateTime = lastTimeRewardApplicable(stakeToken) (contracts/farming/FarmingPools.sol#60)
        - getReward(stakeToken) (contracts/farming/FarmingPools.sol#113)
                - rewards[stakeToken][msg.sender].rewards = 0 (contracts/farming/FarmingPools.sol#119)
                - rewards[stakeToken][account].rewards = earned(stakeToken,account) (contracts/farming/FarmingPools.sol#62)
                - rewards[stakeToken][account].userRewardPerTokenPaid = rewardPerTokenStored (contracts/farming/FarmingPools.sol#63)
Reentrancy in LPool.addReserves(uint256) (contracts/liquidity/LPool.sol#969-976):
        External calls:
        - actualAddAmount = doTransferIn(msg.sender,addAmount,true) (contracts/liquidity/LPool.sol#972)
                - address(_token).call(abi.encodeWithSelector(_token.transferFrom.selector,_from,_to,_amount)) (contracts/lib/TransferHelper.sol#29)
                - IWETH(underlying).deposit{value: actualAmount}() (contracts/liquidity/LPool.sol#279)
                - actualAmount = IERC20(underlying).safeTransferFrom(from,address(this),amount) (contracts/liquidity/LPool.sol#281)
        External calls sending eth:
        - actualAddAmount = doTransferIn(msg.sender,addAmount,true) (contracts/liquidity/LPool.sol#972)
                - IWETH(underlying).deposit{value: actualAmount}() (contracts/liquidity/LPool.sol#279)
        State variables written after the call(s):
        - totalReserves = totalReservesNew (contracts/liquidity/LPool.sol#974)
Reentrancy in OLETokenLock.transferTo(address,uint256) (contracts/OLETokenLock.sol#55-70):
        External calls:
        - releaseInternal(beneficiary) (contracts/OLETokenLock.sol#61)
                - token.transfer(beneficiary,releaseAmount) (contracts/OLETokenLock.sol#51)
        State variables written after the call(s):
        - releaseVars[beneficiary].amount = lockedLeftAmount.sub(amount) (contracts/OLETokenLock.sol#65)
        - releaseVars[beneficiary].startTime = startTime (contracts/OLETokenLock.sol#67)
        - releaseVars[to] = ReleaseVar(amount,startTime,releaseVars[beneficiary].endTime,startTime) (contracts/OLETokenLock.sol#68)

Recommended Mitigation Steps

use Reentrancy guard from OZ

0xleastwood commented 2 years ago

There is no proof of concept so I'll mark this as a best-practice, aka non-critical.