Reentrancy attack and loss of funds

Summary

user or contract can re-enter the claim function

Vulnerability Detail

Reentrancy attack

Impact

funds can be lost

Code Snippet

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L136

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L202

     function claim(address beneficiary, uint256 amount) external onlyRecipient returns (uint256) {
        uint256 claimable = Math.min(unclaimed(), amount);
        totalClaimed += claimable;

        token().safeTransfer(beneficiary, claimable);
        emit Claim(beneficiary, claimable);

        return claimable;

Tool used

Manual Review

Recommendation

Use Reentrancy Guard

nevillehuang commented 9 months ago

Invalid, reentrancy is not possible, and this issue certainly doesn't prove that

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

pratraut commented:

'invalid due to recipient being TRUSTED entity'

sherlock-audit / 2024-01-rio-vesting-escrow-judging

kgothatso - Reentrancy attack and loss of funds #105