The IBank contract is vulnerable to reentrancy attacks. Specifically, the liquidate function can be called by an attacker multiple times before the state changes are finalized, allowing the attacker to withdraw more than they should.
Vulnerability Detail
The liquidate function calls the withdrawLend function, which is not protected against reentrancy. This means that an attacker can call the liquidate function multiple times before the state changes are finalized, allowing them to withdraw more than they should.
Impact
An attacker can exploit this vulnerability to steal funds from the contract.
To fix this vulnerability, the withdrawLend function should be updated to include a reentrancy guard. A simple fix could be to add the nonReentrant modifier to the withdrawLend function, similar to the liquidate function. Alternatively, the withdrawLend function could be modified to use the Checks-Effects-Interactions pattern to avoid reentrancy attacks.
moneyversed
high
Reentrancy vulnerability in IBank.sol
Summary
The IBank contract is vulnerable to reentrancy attacks. Specifically, the liquidate function can be called by an attacker multiple times before the state changes are finalized, allowing the attacker to withdraw more than they should.
Vulnerability Detail
The liquidate function calls the withdrawLend function, which is not protected against reentrancy. This means that an attacker can call the liquidate function multiple times before the state changes are finalized, allowing them to withdraw more than they should.
Impact
An attacker can exploit this vulnerability to steal funds from the contract.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/interfaces/IBank.sol#L166
Tool used
Manual Review
Recommendation
To fix this vulnerability, the
withdrawLend
function should be updated to include a reentrancy guard. A simple fix could be to add thenonReentrant
modifier to thewithdrawLend
function, similar to theliquidate
function. Alternatively, thewithdrawLend
function could be modified to use the Checks-Effects-Interactions pattern to avoid reentrancy attacks.