The mint and burn functions in the WrappedAvail contract do not have reentrancy protection. While the current implementation may not be directly vulnerable, it's generally good practice to guard these functions against reentrancy for contract robustness.
Vulnerability Detail
The mint and burn functions change the contract's state and are protected by the onlyAvailBridge modifier. If the bridge contract were to be compromised or call back into WrappedAvail unexpectedly, it could lead to reentrancy attacks.
Impact
Reentrancy attacks can lead to unexpected behavior, allowing potentially malicious entities to exploit the contract logic, potentially leading to loss of funds or corrupted contract state.
Employ the Checks-Effects-Interactions pattern and consider using a reentrancy guard for functions that alter contract state and are potentially exposed to external calls, even if the current bridge setup seems secure.
Anubis
medium
Potential Reentrancy in Mint and Burn Functions
Summary
The mint and burn functions in the WrappedAvail contract do not have reentrancy protection. While the current implementation may not be directly vulnerable, it's generally good practice to guard these functions against reentrancy for contract robustness.
Vulnerability Detail
The mint and burn functions change the contract's state and are protected by the onlyAvailBridge modifier. If the bridge contract were to be compromised or call back into WrappedAvail unexpectedly, it could lead to reentrancy attacks.
Impact
Reentrancy attacks can lead to unexpected behavior, allowing potentially malicious entities to exploit the contract logic, potentially leading to loss of funds or corrupted contract state.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/WrappedAvail.sol#L30-L36
Tool used
Manual Review
Recommendation
Employ the Checks-Effects-Interactions pattern and consider using a reentrancy guard for functions that alter contract state and are potentially exposed to external calls, even if the current bridge setup seems secure.