The flash function in SwapperImpl.sol is vulnerable to reentrancy attacks due to the external call to ISwapperFlashCallback before updating the state.
Vulnerability Detail
The flash function calls an external contract, ISwapperFlashCallback, before updating the state variable $_payback. If the called contract is malicious, it could call back into the SwapperImpl contract and cause unexpected behavior or steal funds.
Impact
This vulnerability could lead to loss of funds, unauthorized actions, or other unexpected behaviors in the SwapperImpl contract.
Implement reentrancy protection, such as the Checks-Effects-Interactions pattern, to prevent reentrancy attacks. Update the state variable $_payback before making the external call to ISwapperFlashCallback.
moneyversed
high
Reentrancy Attack in SwapperImpl.sol
Summary
The flash function in SwapperImpl.sol is vulnerable to reentrancy attacks due to the external call to ISwapperFlashCallback before updating the state.
Vulnerability Detail
The flash function calls an external contract, ISwapperFlashCallback, before updating the state variable $_payback. If the called contract is malicious, it could call back into the SwapperImpl contract and cause unexpected behavior or steal funds.
Impact
This vulnerability could lead to loss of funds, unauthorized actions, or other unexpected behaviors in the SwapperImpl contract.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L203
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L212
Tool used
Manual Review
Recommendation
Implement reentrancy protection, such as the Checks-Effects-Interactions pattern, to prevent reentrancy attacks. Update the state variable $_payback before making the external call to ISwapperFlashCallback.
Duplicate of #49