Foon256
commented
5 months ago On corePaybackFeeManager() there syncPool() modifier is called in which _syncPoolBeforeCodeExecution() is called and in this function the function _checkReentrancy() is triggered.
Beside that there are not token sent to the user in corePaybackFeeManager(). At the end after _updateUserBadDebt() the incentive token are sent to the user as you can see in the function.
c4-pre-sort
c4-judge
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/FeeManager/FeeManager.sol#L730-L814
Vulnerability details
Impact
An attacker could potentially drain the contract's funds by repeatedly calling the function before the
badDebtPositionmapping is updated. Here's how the reentrancy attack could work:paybackBadDebtForTokenfrom within itsfallbackfunction.paybackBadDebtForTokenwith their malicious contract as the caller.paybackBadDebtForTokenfunction, the contract transfers thereceivingAmounttokens to the attacker's malicious contract before updating thebadDebtPositionmapping.paybackBadDebtForTokenagain.badDebtPositionmapping hasn't been updated yet, the attacker can repeatedly receive thereceivingAmounttokens. This attack can continue until the contract's funds are depleted or the gas limit is reached. The severity of this vulnerability is considered high because it could lead to a complete loss of funds for the contract. An attacker could potentially drain all the tokens held by the contract, resulting in a significant financialProof of Concept
The
paybackBadDebtForTokenfunction is also vulnerable to reentrancy attacks. An attacker could potentially call this function recursively before thebadDebtPositionmapping is updated, leading to multiple paybacks of the same bad debt. True or false, explain in details how this works, what is the impact ? show relevant code sections and explain proof of concept and vulnerability details. Use code to explain how it can be mitigated. ThepaybackBadDebtForTokenfunction is indeed vulnerable to a reentrancy attack. Here's a breakdown of the vulnerability and how it can be exploited: 1.The function updates thebadDebtPositionmapping after transferring thereceivingAmountand thepaybackAmounttokens. This means that an attacker's malicious contract can re-enter the function before thebadDebtPositionmapping is updated.paybackBadDebtForTokenand receive thereceivingAmounttoken.Before the
badDebtPositionmapping is updated, the attacker's contract would recursively callpaybackBadDebtForTokenagain, exploiting the fact that thebadDebtPositionmapping has not been updated yet. 4.This recursive call would allow the attacker to receive additionalreceivingAmounttokens before thebadDebtPositionmapping is updated, effectively draining the contract's tokens. Here's the relevant code section that illustrates the vulnerability:function paybackBadDebtForToken( uint256 _nftId, address _paybackToken, address _receivingToken, uint256 _shares ) external returns ( uint256 paybackAmount, uint256 receivingAmount ) { updatePositionCurrentBadDebt( _nftId );
}
Tools Used
Manual
Recommended Mitigation Steps
Follow the "Checks-Effects-Interactions" pattern and update the
badDebtPositionmapping before transferring any tokens. Here's how you can modify thepaybackBadDebtForTokenfunction:In this modified version, the
badDebtPositionmapping is updated before transferring any tokens, preventing the reentrancy attack. Additionally, a check is added to ensure that the badDebtPosition is not zero before proceeding with the payback process. By following the "Checks-Effects-Interactions" pattern and updating the critical state variables before any external interactions, you can effectively mitigate the reentrancy vulnerability in thepaybackBadDebtForTokenfunction.Assessed type
Other