search

sherlock-audit / 2023-03-taurus-judging

4 stars 0 forks source link

SunSec - _modifyPosition () ERC777 re-enter to steal funds #197

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

SunSec

high

_modifyPosition () ERC777 re-enter to steal funds

Summary

Vulnerability Detail

The contract's _modifyPosition function is vulnerable to reentrancy attacks if the collateralToken being used is an ERC777 token.

The reentrancy vulnerability in the _modifyPosition function could allow an attacker to call the function repeatedly before the previous calls have finished executing, potentially leading to unexpected behavior and/or financial losses.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/BaseVault.sol#L310-L319

   function _modifyPosition(
        address _account,
        uint256 _collateralDelta,
        uint256 _debtDelta,
        bool _increaseCollateral,
        bool _increaseDebt
    ) internal virtual {
...
        if (_collateralDelta != 0) {
            if (_increaseCollateral) {
                // Deposit collateral
                userDetails[_account].collateral += _collateralDelta;
                IERC20(collateralToken).safeTransferFrom(msg.sender, address(this), _collateralDelta);  //@audit - ERC 777 issue

                emit Deposit(_account, _collateralDelta);
            } else {
                // Withdraw collateral
                uint256 currentCollateral = userDetails[_account].collateral;
                if (_collateralDelta > currentCollateral) revert insufficientCollateral();
                userDetails[_account].collateral = currentCollateral - _collateralDelta;
                mustCheckHealth = true;
                IERC20(collateralToken).safeTransfer(msg.sender, _collateralDelta); //@audit - ERC 777 issue

Tool used

Manual Review

Recommendation

Add reentrancy protection for modifyPosition() function.