search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

iberry - The _withdrawAll function in the CouncilMember contract does not adhere to the CEI pattern #223

Closed sherlock-admin closed 5 months ago

sherlock-admin commented 5 months ago

iberry

medium

The _withdrawAll function in the CouncilMember contract does not adhere to the CEI pattern

Summary

_withdrawAll function does not adhere to the CEI pattern

Vulnerability Detail

The _withdrawAll function in the CouncilMember,first call transfer money,then set balances[tokenId] = 0;this may be cause reentry。

Impact

medium,may be lead to reentry

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L339-L341

Tool used

Manual Review

Recommendation

function _withdrawAll(address from, uint256 tokenId) internal {
    uint256 amount =  balances[tokenId];
     balances[tokenId] = 0;
    TELCOIN.safeTransfer(from, amount);

}
sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { not psossible; invalid}

nevillehuang commented 5 months ago

Invalid, insufficient proof that reentrancy is possible.