Lines of code
<https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L154-L158>
<https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L168-L172>
<https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L212-L227>
The funds (ETH) that users sent along with the bulkExecute may be stolen.
When a buyer send a bulkExecute() tx with msg.value > 0 (with order of buying token with eth), the sent ETH may be stolen if the tx contains a malicious selling order which can trigger a reentry attack.
Here are the details of the reentry attack:
The invocation of a malicious contract in step 2 above may occur under the following circumstances and may be considered constructed maliciously
In addition, when the Buyer calls execute() with a msg.value exceeds the actual price, the buyer may also lose the remaining funds by a reentry attack.
VS Code
This problem is mainly due to the fact that _execute() is reentrancy protected and setupExecution() is not.
Recommended: remove reentrancyGuard from _execute() and add it to external functions (execute() and bulkExecute()) to make setupExecution reentrancy protected.
Here is the diff:
diff --git a/contracts/Exchange.sol b/contracts/Exchange.sol
index ec27b1d..f3fa09b 100644
--- a/contracts/Exchange.sol
+++ b/contracts/Exchange.sol
@@ -155,6 +155,7 @@ contract Exchange is IExchange, ReentrancyGuarded, EIP712, OwnableUpgradeable, U
external
payable
whenOpen
+ reentrancyGuard
setupExecution
{
_execute(sell, buy);
@@ -169,6 +170,7 @@ contract Exchange is IExchange, ReentrancyGuarded, EIP712, OwnableUpgradeable, U
external
payable
whenOpen
+ reentrancyGuard
setupExecution
{
/*
@@ -234,7 +236,6 @@ contract Exchange is IExchange, ReentrancyGuarded, EIP712, OwnableUpgradeable, U
function _execute(Input calldata sell, Input calldata buy)
public
payable
- reentrancyGuard
internalCall
{
require(sell.order.side == Side.Sell);
The text was updated successfully, but these errors were encountered:
All reactions