c4-judge
commented
1 month ago Picodes marked the issue as unsatisfactory: Invalid
Closed howlbot-integration[bot] closed 1 month ago
c4-judge
commented
1 month ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/CollateralTracker.sol#L1
Vulnerability details
I have identified another potential vulnerability related to the usage of the
.call()function:Smart Contract: CollateralTracker
File: CollateralTracker.sol
Vulnerability: Usage of Low-Level
.call()FunctionDescription: The smart contract uses the low-level
.call()function in the_setup()function, which can introduce potential security risks due to the lack of type safety and the possibility of introducing re-entrancy attacks.Proof of Concept: The
.call()function is used to execute arbitrary code in the_setup()function:Recommendation: Avoid using the low-level
.call()function whenever possible. Instead, use the high-level.transfer()or.transferFrom()functions. If the.call()function must be used, ensure that proper checks are in place to protect against re-entrancy attacks, and use the.call.value()function to securely transfer Ether.Mitigation: Replace the usage of the low-level
.call()function with the high-level.transfer()function:Disclosure: The vulnerability described in this report has been discovered by me during a routine code review. I have not exploited it in any way, and I am reporting it to the development team to ensure the security of the protocol.
Assessed type
call/delegatecall