ghost
commented
2 years ago The accounting checks are done here https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashLogic.sol#L212-L214
As long as owner has sufficient tokens and either msg.sender == owner or owner has given msg.sender sufficient allowance, you can continue to call this function .
jeffywu
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashERC4626.sol#L187
Vulnerability details
This is a corrected version of the previous submission and typo mistakes corrected.
Impact
The
withdraw()function inwfCashERC4626.solcan be re-entered at the point of_redeemInternal().Assume asset tokens are sent to receiver after shares are burnt, and user re-enters withdraw() after _redeemInternal() is completed., (P.S: there's a separate issue on I submitted earlier on this part). But let's assume the function works as described by ERC4626 standard, User would have more assets each time shares are burnt.
Proof of Concept
_redeemInternal()works as normal and conversion of asset -> shares is 1:1withdraw()with input 2assets, her address forreceiverandownerarguments._redeemInternal(), assume 2 fCash is burnt and 2 ETH is transferred to Alicewithdraw()once_redeemInternal()is successful, Alice now owns 7 ETHTools Used
Manual review
Recommended Mitigation Steps
Implement the check-effects-interactions pattern or nonReentrant Guards. It seems some account settlement within the vault needs to be done before the transfer of tokens to receiver as well.