Lucene search

K
code423n4Code4renaCODE423N4:2022-12-GOGOPOOL-FINDINGS-ISSUES-756
HistoryJan 03, 2023 - 12:00 a.m.

EXTERNAL CALL TO UNTRUSTED PARTIES

2023-01-0300:00:00
Code4rena
github.com
7

Lines of code
<https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/TokenggAVAX.sol#L202&gt;

Vulnerability details

Impact

Functions in this contract or inherited functions can be reentered.

Proof of Concept

In Vault.sol the withdrawAVAX() and redeemAVAX() functions make an external call to the msg.sender by way of _safeTransferETH. This allows the caller to reenter this and other functions in this and other protocol files. Other instances of this vulnerability exist throughout the code. However, in this particular case, msg.sender isn’t a network contract or guardian but a user. This makes it susceptible to malicious reentrancy

Tools Used

Manual

Recommended Mitigation Steps

Add a reentrancy guard


The text was updated successfully, but these errors were encountered:

All reactions