Original vulnerabilities:
mergeTranches() and refinancePartial() don’t have nonReentrant modifiers.
This is risky because mergeTranches() and refinancePartial() are publicly accessible and allow for a custom contract call IOfferValidator(CustomContract).validateOffer().
Original impacts:
This allows for reentrancy and it may create an impact where the same NFT is used in multiple loans at the same time.
Lines of code
Vulnerability details
C4 Issue
H-14: mergeTranches()/refinancePartial() lack of nonReentrant
Comments
Original vulnerabilities:
mergeTranches()
andrefinancePartial()
don’t have nonReentrant modifiers.This is risky because mergeTranches() and refinancePartial() are publicly accessible and allow for a custom contract call IOfferValidator(CustomContract).validateOffer().
Original impacts: This allows for reentrancy and it may create an impact where the same NFT is used in multiple loans at the same time.
Mitigation
Fix: https://github.com/pixeldaogg/florida-contracts/pull/383/files
nonReentrant modifier is added to
mergeTranches()
andrefinancePartial()
. This eliminates the attack vector and resolve the issue.Conclusion
LGTM