Solidity functions should always use the Checks-Effects-Interactions pattern which states that the initial stage will contain only checks and validations which reside in the modifiers.
Due to this reason, modifiers should only implement checks and validations inside of it and should not make state changes or external calls.
The contract DripsHub was found to be violating this pattern and the modifier onlyDriver was making sensitive state changes and modifications.
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/main/src/DripsHub.sol#L118
Vulnerability details
Impact
Solidity functions should always use the Checks-Effects-Interactions pattern which states that the initial stage will contain only checks and validations which reside in the modifiers.
Due to this reason, modifiers should only implement checks and validations inside of it and should not make state changes or external calls.
The contract
DripsHub
was found to be violating this pattern and the modifieronlyDriver
was making sensitive state changes and modifications.Proof of Concept
Github
Tools Used
Manual
Recommended Mitigation Steps