Open code423n4 opened 2 years ago
Valid and a big issue. However, due to other recommendations, I will not solve it this way. Instead, updateDistribution()
will be called at the start of every lock/unlock function (so it can't have a noReenter
modifier), and the _safeMint
calls will be moved to the end of their respective operations to prevent the effect of the re-entrancy (i.e. position will created with a _pointsPerUnit
before a re-entering from _safeMint
can affect it). Tests will be added to show this is not longer possible.
In our release candidate contract, as mentioned above, updateDistribution()
is called before each locking and unlocking function, via a updatePointsPerUnitAtStart
modifier, and thus, updateDistribution()
is now a public fucntion, and since it is used by other functions, cannot be behind a noReenter
.
See:
Also, a test was written to ensure that this is no longer exploitable, and that the contract behaves properly if a re-entrancy call updateDistribution()
.
Agreed with the severity.
Resolution of reordering the calls seems to be adequate
Handle
cccz
Vulnerability details
Impact
There is a reentrancy vulnerability in the _safeMint function
The lock function changes the totalDepositedXDEFI variable after calling the _safeMint function
Since the updateDistribution function does not use the noReenter modifier, the attacker can re-enter the updateDistribution function in the _safeMint function. Since the value of totalDepositedXDEFI is not updated at this time, the _pointsPerUnit variable will become abnormally large.
If the attacker calls the lock function to get the NFT before exploiting the reentrance vulnerability, then the unlock function can be called to steal a lot of rewards, and the assets deposited by the user using the reentrance vulnerability can also be redeemed by calling the unlock function. Since the unlock function calls the _updateXDEFIBalance function, the attacker cannot steal the assets deposited by the user
Proof of Concept
https://github.com/XDeFi-tech/xdefi-distribution/blob/v1.0.0-beta.0/contracts/XDEFIDistribution.sol#L253-L281
Tools Used
Manual analysis
Recommended Mitigation Steps