code-423n4 / 2022-01-sherlock-findings

0 stars 0 forks source link

SherlockClaimManager: reentrancy comment for priceProposed() and priceDisputed() can be phrased better #217

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

GreyArt

Vulnerability details

Impact

The priceProposed() and priceDisputed() callback functions have the following comment:

// @note reentrancy is allowed for this call

It isn’t that re-entrancy is allowed, but that it doesn’t have re-entrancy protection because it is chained in the interactions with the UMA OO contract when claims are escalated. The current comment may mislead people into thinking that re-entrancy can be performed when there is in fact reentrancy protection in the starting function escalate().

Recommended Mitigation Steps

Update the comment to provide better clarity.

// @note does not have reentrancy protection because it will be called by the OO contract
// when escalate() is invoked, which is non-reentrant