Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L284-L285
A re-entrancy attack may drain the asset holder’s balance due to function / variable update order at FiatTokenV1.sol:284
function transferFrom( address from, address to, uint256 value ) external override whenNotPaused notBlocklisted(msg.sender) notBlocklisted(from) notBlocklisted(to) checkWhitelist(from, value) returns (bool) { require( value <= allowed[from][msg.sender], "ERC20: transfer amount exceeds allowance" ); _transfer(from, to, value); allowed[from][msg.sender] = allowed[from][msg.sender] - value; return true; }
VS Code
A mutex can be implemented like inheriting OZ ReentrancyGuard.sol
There is no problem because the call function is not used in transferFrom.
Lines of code
https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L284-L285
Vulnerability details
Impact
A re-entrancy attack may drain the asset holder’s balance due to function / variable update order at FiatTokenV1.sol:284
Proof of Concept
Tools Used
VS Code
Recommended Mitigation Steps
A mutex can be implemented like inheriting OZ ReentrancyGuard.sol