When the user's contract is called back while the contract state update is incomplete, the user can reenter to exploit the incorrect intermediate state for various possible attacks.
The potential reentry attack entry is triggered by: buyBond - > issueBond - > _safeMint() -> msg.sender.onERC721Received()
In this reentry, KUMASwap's _minCoupon state might be incorrect because the bond was bought, but _updateMinCoupon() hasn't been called to updated it yet.
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMASwap.sol#L210-L228 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KBCToken.sol#L51-L62
Vulnerability details
Impact
KUMASwap.buyBond() could be exploited for some kind of reentry attack now or in the future
Proof of Concept
KUMASwap.buyBond() may trigger a callback to the sender's contract before the following statements being executed:
When the user's contract is called back while the contract state update is incomplete, the user can reenter to exploit the incorrect intermediate state for various possible attacks.
The potential reentry attack entry is triggered by:
buyBond - > issueBond - > _safeMint() -> msg.sender.onERC721Received()
In this reentry, KUMASwap's
_minCoupon
state might be incorrect because the bond was bought, but_updateMinCoupon()
hasn't been called to updated it yet.The relevant code of KUMASwap.buyBond() and KBCToken.issueBond() is:
Tools Used
VS Code
Recommended Mitigation Steps
We should move the code that could trigger the callback to the end of the function to make sure that all states have been updated completely: