Open code423n4 opened 1 year ago
GalloDaSballo marked the issue as primary issue
Primary because simplified POC
Am not convinced that the finding is Medium Severity because of a specific leak of value, the finding is valid but am thinking QA low
m19 marked the issue as disagree with severity
We also disagree with severity, we agree there's a re-entracy but there is no way to exploit it that we can see.
Downgrading to QA in lack of a leak of value
I recommend the warden to follow up with the Sponsor if they believe there's cause for further concern, however, due to lack of proof, am downgrading to QA
L
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-a
GalloDaSballo marked the issue as selected for report
GalloDaSballo marked the issue as not selected for report
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KUMASwap.sol#L210-L228
Vulnerability details
Impact
The code of
KUMASwap::buyBond
is re-entrant; whenever the face value of a bond is is greater than the realized bond value an EIP-721 clone is created via theKBCToken::issueBond
function which in turn invokes the_safeMint
implementation of OpenZeppelin'sERC721Upgradeable
.As the
_safeMint
function will invoke theonERC721Received
function on the recipient, the recipient is able to re-enter the contact mid-execution. After analyzing the contract's codebase, one can identify the following misbehaviors:_minCoupon
value will possess an incorrect value during the re-entrancyKBCToken
can be utilized before its entries are initialized in theKUMASwap
contract and before theKIBToken
amount has been burnedThe
claimBond
which relies on the_cloneBonds
data entry is safe, however, as the data entry is not written yet during the re-entrant call. Additionally, the_minCoupon
value while adequately maintained by the contract is not actively utilized as a sanitization measure in the contract which is slightly ambiguous as it should be utilized to either enforce a purchase of a bond to be of the_minCoupon
or a sale of a bond to be lower than the_minCoupon
, or some other form of business logic.Proof of Concept
The following smart contract will cause the
ReentryAchieved
event to be emitted if it has sufficientKIB
tokens for theVALID_TOKEN_ID
's purchase:Tools Used
Manual review.
Recommended Mitigation Steps
We advise the clone bond to be assigned in an
else
clause introduced to the finalif
conditional of the code. This will ensure that the code ofKUMASwap::buyBond
conforms to the Checks-Effects-Interactions pattern and thus contains a correct system state during the external call permitting re-entrancies.