sherlock-admin
commented
9 months ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. User mistake
0xAadi commented:
Invalid: It causes financial loss to potential attackers and no loss to users.
Sta1400
medium
Front-running vulnerability in
BaseGladiusReactorSummary
The
_fill()function in theBaseGladiusReactorcontract lacks a check to verify if the recipient can receive Ether, which can lead to a vulnerability where contracts unable to receive Ether inadvertently receive it, potentially causing transactions to revert.Vulnerability Detail
The vulnerability arises from the
_fill()function in theBaseGladiusReactorcontract. This function does not check if the recipient (msg.sender) is a contract that can receive Ether. Therefore, if a contract incapable of receiving Ether calls theexecute*()functions with Ether in the contract's balance, the transaction will revert. This presents an opportunity for front-running attacks, where attackers can exploit vulnerable transactions to cause them to revert. Indeed, an attacker can send Ether toBaseGladiusReactorjust before theexecute*()function is called by a vulnerable contract, causing the transaction to revert.Impact
The impact of this vulnerability is that valid transactions can unexpectedly revert if the user contract isn't able to receive funds. This can lead to disruptions in the expected behavior of transactions and potentially result in financial losses or other adverse effects for users interacting with the contract.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L248
Tool used
Manual Review
Recommendation
To mitigate this vulnerability, a check should be added within the
_fillfunction to verify if the recipient (msg.sender) is capable of receiving Ether. This can be achieved by implementing a function or modifier that checks if the recipient is a contract and has apayable fallbackfunction orreceive()function.