Open olaoyesalem opened 8 months ago
reentrancy only can happen if the calling contract recalls the target, in our case it is impossible, WISE_LENDING is not an external contract that malicious actor can modify.
Also similar questions about malicious tokens are out of scope
Summary
the _manuallyWithdrawShares
function in the contract is vulnerable to reentrancy due to performing an external call to withdraw tokens before completing all state changes. This vulnerability arises because the function makes an external call toWISE_LENDING.withdrawExactShares
without fully updating the contract's state beforehand. As a result, the contract is left in an incomplete state during the external call, creating an opportunity for attackers to exploit and manipulate the contract's state in unintended ways.Proof Of Code
Recommendations:
To mitigate the reentrancy vulnerability, follow these recommendations:
Use the Checks-Effects-Interactions pattern: Ensure that all state changes are completed before interacting with external contracts to prevent reentrancy attacks.
Perform state changes first: Calculate the withdrawal amount and update contract state before making external calls to avoid leaving the contract in an inconsistent state.