wickie - Not using nonReentrant modifer, although inherited from ReentrancyGuardUpgradable allows reentrancy. #187
Comments
sherlock-admin4
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
wickie
Medium
Not using nonReentrant modifer, although inherited from ReentrancyGuardUpgradable allows reentrancy.
Summary
The contract NounsAuctionHouseV3.sol() inherits OZ's ReentrancyGuardUpgradeable but does not use the nonReentrant modifer that comes with it. Since external calls are always done to the auction's last bidder, this opens up opportunities to re-enter into the contract. Although the safeTransferETH() limits the gas usage to 30000, this could stay leads to read-only reentrancy in external contracts utilizing the Auction House.
Root Cause
nonReentrant modifer is inherited but not used in functions.
Internal pre-conditions
A malicious contract has to enter the auction.
External pre-conditions
No response
Attack Path
1.A malicious contract enters the auction.
2.When another users enter, the auction house calls to the malicious contract with last bidding value.
3.Malicious contract reenters into the contract.
Impact
Although reentrancy is possible, it is not clear what an attacker can achieve by it. Nevertheless, nonReentrant modifier should be added to functions, since it is clear that the developers inherited the ReentrancyGuardUpgradable to disable reentrancy.
PoC
No response
Mitigation
Add nonReentrant modifers to functions.
The text was updated successfully, but these errors were encountered: