nevillehuang
commented
6 months ago Invalid, insufficient proof to show that this is possible. Additionally, ERC777 is not supported by DODO as seen here
Closed sherlock-admin2 closed 6 months ago
nevillehuang
commented
6 months ago Invalid, insufficient proof to show that this is possible. Additionally, ERC777 is not supported by DODO as seen here
OrderSol
medium
Cross-contract reentrancy via correctRState
Summary
'correctRState' is not marked with
nonReentrant, leading to potential ReadOnly-like reentrancy attacks on protocols that can possibly depend on DODO data. Protocol itslef in not affected.Vulnerability Detail
'correctRState' can lead to change of state and is not
nonReentrant, allowing to change state for_BASE_TARGET_and_QUOTE_TARGET_variables. These variable are used in formulas for price impact and calculations and are accessible outside. Combined with flash-loan capability or ERC777-like compatible tokens, this can lead to potential "ReadOnly"-like reentrancy threats.Impact
MEDIUM - it doesn't not seem that protocol itself if affected - only potential integrations.
Code Snippet
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPVault.sol#L140
Tool used
Manual review
Recommendation
Add
nonReentrantmodifier to the function.