Open code423n4 opened 2 years ago
0v3rf10w
Reentrancy possibilities at multiple places.
Reentrancy in FarmingPools.exit(address) (contracts/farming/FarmingPools.sol#111-114): External calls: - withdraw(stakeToken,rewards[stakeToken][msg.sender].stakes) (contracts/farming/FarmingPools.sol#112) - getReward(stakeToken) (contracts/farming/FarmingPools.sol#113) State variables written after the call(s): - getReward(stakeToken) (contracts/farming/FarmingPools.sol#113) - distributions[stakeToken].rewardPerTokenStored = rewardPerTokenStored (contracts/farming/FarmingPools.sol#59) - distributions[stakeToken].lastUpdateTime = lastTimeRewardApplicable(stakeToken) (contracts/farming/FarmingPools.sol#60) - getReward(stakeToken) (contracts/farming/FarmingPools.sol#113) - rewards[stakeToken][msg.sender].rewards = 0 (contracts/farming/FarmingPools.sol#119) - rewards[stakeToken][account].rewards = earned(stakeToken,account) (contracts/farming/FarmingPools.sol#62) - rewards[stakeToken][account].userRewardPerTokenPaid = rewardPerTokenStored (contracts/farming/FarmingPools.sol#63)
Reentrancy in LPool.addReserves(uint256) (contracts/liquidity/LPool.sol#969-976): External calls: - actualAddAmount = doTransferIn(msg.sender,addAmount,true) (contracts/liquidity/LPool.sol#972) - address(_token).call(abi.encodeWithSelector(_token.transferFrom.selector,_from,_to,_amount)) (contracts/lib/TransferHelper.sol#29) - IWETH(underlying).deposit{value: actualAmount}() (contracts/liquidity/LPool.sol#279) - actualAmount = IERC20(underlying).safeTransferFrom(from,address(this),amount) (contracts/liquidity/LPool.sol#281) External calls sending eth: - actualAddAmount = doTransferIn(msg.sender,addAmount,true) (contracts/liquidity/LPool.sol#972) - IWETH(underlying).deposit{value: actualAmount}() (contracts/liquidity/LPool.sol#279) State variables written after the call(s): - totalReserves = totalReservesNew (contracts/liquidity/LPool.sol#974)
Reentrancy in OLETokenLock.transferTo(address,uint256) (contracts/OLETokenLock.sol#55-70): External calls: - releaseInternal(beneficiary) (contracts/OLETokenLock.sol#61) - token.transfer(beneficiary,releaseAmount) (contracts/OLETokenLock.sol#51) State variables written after the call(s): - releaseVars[beneficiary].amount = lockedLeftAmount.sub(amount) (contracts/OLETokenLock.sol#65) - releaseVars[beneficiary].startTime = startTime (contracts/OLETokenLock.sol#67) - releaseVars[to] = ReleaseVar(amount,startTime,releaseVars[beneficiary].endTime,startTime) (contracts/OLETokenLock.sol#68)
use Reentrancy guard from OZ
There is no proof of concept so I'll mark this as a best-practice, aka non-critical.
non-critical
Handle
0v3rf10w
Vulnerability details
Impact
Reentrancy possibilities at multiple places.
Proof of Concept
Recommended Mitigation Steps
use Reentrancy guard from OZ