c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as duplicate of #752
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as duplicate of #752
c4-judge
commented
1 year ago GalloDaSballo changed the severity to 2 (Med Risk)
c4-judge
commented
1 year ago GalloDaSballo marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L129 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L281 https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L142
Vulnerability details
Impact
EthRouter provides or offers a way to execute a buy batch from PrivatePool, A user will try to call buy function in EthRouter to execute a buy operations against private pool, on EthRouter at L129 The
buyfunction in PrivatePool will be triggered and executed, onbuyfunction inside PrivatePool contract L281 a safeTransferETH will be called to transfer a royaltyFee to a recipient.A recipient contract can call EthRouter
buyfunction with empty parameters' on receive() function. Now buy function inside EthRouter contract will continue to line L142 and callsafeTransferETHto transfer the balance of EthRouter to msg.sender. Therefore, the recipient steal the funds from EthRouter balance that's considered as refund for the buyer. eventually after a transfer made to the recipient contract the function buy inside the EthRouter will continue executing and will reach the line L142 to refund any surplus ETH to the caller buyer but the balance already gone and stolen by recipient attacker.Proof of Concept
A simple scenario for the Reentrancy attack: let's name
buyfunction on EthRouter as Ebuy, andbuyfunction at PrivatePool as Pbuy for clarity.Tools Used
Manual review
Recommended Mitigation Steps
Use reentrancy guard.