Closed sherlock-admin closed 11 months ago
4 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because market can not be used to re-enter and no real scenario of reentrancy is presented (possible reentrancy is not a valid issue)
n33k commented:
invalid, ai generated groundless report
0xyPhilic commented:
invalid because there is no PoC confirming a possible re-entrancy
polarzero commented:
Invalid. This is not clear what could actually happen in this scenario; the issue lacks concrete explanation and proof of concept.
0xVinylDavyl
medium
Potential Reentrancy Vulnerability concerned in the contract's fund function, which interacts with an external contract (market.claimFee()) without implementing a reentrancy guard. Potentially exposing the contract to reentrancy attacks
Summary
The "Potential Reentrancy Vulnerability" is a security concern in the contract's
fund
function, which interacts with an external contract (market.claimFee()
) without implementing a reentrancy guard. This vulnerability can potentially expose the contract to reentrancy attacks, allowing malicious code in the external contract to perform unexpected actions.Vulnerability Detail
The vulnerability arises from the contract's interaction with external contracts without protecting against reentrancy attacks. Reentrancy occurs when an external contract calls back into a vulnerable contract before the first call completes, potentially allowing malicious external code to manipulate the contract's state.
Impact
If an external contract (e.g.,
market
) calls back into thefund
function while it is executingmarket.claimFee()
, an attacker could exploit this vulnerability to perform unauthorized actions, manipulate state variables, or even drain the contract's funds.Code Snippet
https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/OracleFactory.sol#L111
Tool used
Manual Review
Recommendation
To mitigate the potential reentrancy vulnerability, follow these recommended steps:
Implement a Reentrancy Guard: Implement a reentrancy guard in functions that interact with external contracts. You can use the OpenZeppelin
ReentrancyGuard
library to add protection against reentrancy attacks. Here's an example of how to modify the code:Ensure External Contracts Follow Best Practices: Verify that external contracts (
market
in this case) adhere to best practices to prevent reentrancy vulnerabilities. Contracts interacting with your contract should also have proper access controls and reentrancy protection where necessary.Implementing these recommendations will help protect your contract against reentrancy attacks and enhance its security.