The rUSDY.transferFrom function can cause reentrancy if is a contract been approved, the function looks like:
<https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L301-L312>
function transferFrom(
address _sender,
address _recipient,
uint256 _amount
) public returns (bool) {
uint256 currentAllowance = allowances[_sender][msg.sender];
require(currentAllowance >= _amount, βTRANSFER_AMOUNT_EXCEEDS_ALLOWANCEβ);
_transfer(_sender, _recipient, _amount);
_approve(_sender, msg.sender, currentAllowance - _amount); // @audit doesnt follow the check- effect - interaction pattern
return true;
}
This could be an issue if itβs a contract that has been approved to spend tokens, as it can reenter this function.
Manual review.
Use the CEI or add the OZ library ReentrancyGuard.
Reentrancy
The text was updated successfully, but these errors were encountered:
All reactions