[audit] #12 : Same address can use multiple discounts through reentrancy #46
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reorder transactions to prevent reentrancy attack.
From Spearbit:
Description
The
discountRegistrantsmapping is used to keep track of which addresses have already used a discount and block them from registering with another or the same discount again.The mapping is checked in the
validDiscountmodifier and updated after_registrationfunction. The user can specify a custom resolver address in the request on whichmulticallWithNodeCheckis called in the_registrationfunction. This can be used to reenter the contract and use the same or a different discount before thediscountRegistrantsupdated.Note that as the
validDiscountschecks the discount eligbility against themsg.senderthe specified resolver must be the address that is eligible for the discount. This could be the case for smart contract wallets that can provide the neededmulticallWithNodeCheckfunction to perform this exploit.Recommendation
Move the update to the
discountRegistrantsstate variable before doing the call to the resolver. This could be just before the_registerstatement or even in thevalidDiscountmodifier.