Closed sherlock-admin4 closed 4 months ago
Escalate Dup of 268
Escalate Dup of 268
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #268
Result: High Duplicate of #268
0x486776
high
Reentrancy attack by edition referrer.
Summary
Assigning a malicious contract as the referrer of a new edition can enable a reentrancy attack on any minting process.
Vulnerability Detail
Consider the following scenario:
edition::mintBatch
with empty parameters. Subsequently,edition::mintBatch
mints nothing and triggers_refundExcess()
atL296
.edition::_refundExcess
proceeds to transfer all balances, including Bob's remaining ether, to Alice's referrer.Consequently, Bob's remaining Ether is diverted to Alice's referrer, rather than returned to Bob.
Impact
The edition creator can potentially execute reentrancy attacks by assigning a malicious contract as the referrer of the edition.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L512-L516
Tool used
Manual Review
Recommendation
Edition.sol
should inherit theReentrancyGuard
contract.Duplicate of #268