bghughes
commented
2 years ago Good recommendation to use Reentrancy Gaurd and Duplicate of #283
Closed code423n4 closed 2 years ago
bghughes
commented
2 years ago Good recommendation to use Reentrancy Gaurd and Duplicate of #283
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L595 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L598
Vulnerability details
BTN-02M: Share Withdrawal Re-Entrancy
Description
The
_withdrawmechanism of theBathTokendoes not conform to the Checks-Effects-Interactions pattern as it distributes bonus token rewards prior to the redemption (i.e. burning) of shares. While this in and of itself is an issue in the case of re-entrant EIP-777 tokens, it is an even more valid vulnerability as the system is expected to handle native asset rewards and thus cause re-entrancies via native asset transfers as well like theVestingWalletimplementation and correspondingreleaseimplementation.Impact
The re-entrant call can lead to redemptions beyond the first to have unfair evaluations as the original shares will not have exited the system at that point in time.
Solution (Recommended Mitigation Steps)
We advise the code to conform to the CEI pattern by performing any external calls (such as reward distributions) after the shares have been burned and all state variables have been properly updated. As an additional security measure, we advise the non-reentrant modifier by OpenZeppelin's
ReentrancyGuardcontract to be applied throughout the codebase.PoC
Issue is deducible by inspecting the relevant lines referenced in the issue, making note of the
distributeBonusTokenRewardsfunction execution prior to the_burnoperation.Tools
Manual inspection of the codebase.