The contract TitlesCore is susceptible to reentrancy attacks in several places. While it uses the nonReentrant modifier from OpenZeppelin, this is not applied consistently, and missing in several function calls.
Vulnerability Detail
Re-entrancy vulnerabilities occur when a function calls another function (either external or internal) in such a way as to allow new requests to the original function to be processed before the original function's processing is completed. This allows an attacker to potentially manipulate state variables and drain the contract's balance.
Impact
For example, in the publish function there's an external call to edition_.publish which can change the state of the contract. If the edition_ contract has a bug or malicious code, it could reenter into the TitlesCore.publish function and changes could be made on the unchecked state.
Each of these calls are followed by the comment wake-disable-next-line reentrancy, indicating that reentrancy checks have been deliberately disabled on the next line.
Tool used
Manual Review
Recommendation
Ensure the nonReentrant modifier is consistently used, especially when making external function calls that can affect contract state. Secondly, always take actions in the following order: 1) Decrease balance 2) Change state 3) External Calls.
w42d3n
medium
Reentrancy Vulnerabilities in TitlesCore.sol
Summary
The contract
TitlesCoreis susceptible to reentrancy attacks in several places. While it uses thenonReentrantmodifier from OpenZeppelin, this is not applied consistently, and missing in several function calls.Vulnerability Detail
Re-entrancy vulnerabilities occur when a function calls another function (either external or internal) in such a way as to allow new requests to the original function to be processed before the original function's processing is completed. This allows an attacker to potentially manipulate state variables and drain the contract's balance.
Impact
For example, in the
publishfunction there's an external call toedition_.publishwhich can change the state of the contract. If theedition_contract has a bug or malicious code, it could reenter into theTitlesCore.publishfunction and changes could be made on the unchecked state.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L126-L148
Each of these calls are followed by the comment
wake-disable-next-line reentrancy, indicating that reentrancy checks have been deliberately disabled on the next line.Tool used
Manual Review
Recommendation
Ensure the
nonReentrantmodifier is consistently used, especially when making external function calls that can affect contract state. Secondly, always take actions in the following order: 1) Decrease balance 2) Change state 3) External Calls.