sherlock-admin
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin2 closed 5 months ago
sherlock-admin
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
nevillehuang
commented
5 months ago Invalid, updatePythPrice() has the nonReentrant modifier as seen here
bareli
medium
refund mechanism
Summary
The refund mechanism in updatePythPrice uses a direct call to send ETH, which is a potential security risk. It should ensure that the call's gas limit is set to prevent reentrancy attacks.
Vulnerability Detail
if (msg.value - fee > 0) { // Need to refund caller. Try to return unused value, or revert if failed (bool success, ) = sender.call{value: msg.value - fee}(""); if (success == false) revert FlatcoinErrors.RefundFailed();
Impact
It should ensure that the call's gas limit is set to prevent reentrancy attacks.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L73
Tool used
Manual Review
Recommendation
use a gas limit in call function.