Trader Joe contest - 0v3rf10w's results

Handle

0v3rf10w

Vulnerability details

Impact

Reentrancy possibilities at multiple places.

Proof of Concept

Reentrancy in RocketJoeFactory.createRJLaunchEvent(address,uint256,address,uint256,uint256,uint256,uint256,uint256,uint256,uint256,uint256) (contracts/RocketJoeFactory.sol#98-155):
        External calls:
        - IERC20(_token).transferFrom(msg.sender,launchEvent,_tokenAmount) (contracts/RocketJoeFactory.sol#133)
        - ILaunchEvent(address(launchEvent)).initialize(_issuer,_phaseOneStartTime,_token,_tokenIncentivesPercent,_floorPrice,_maxWithdrawPenalty,_fixedWithdrawPenalty,_maxAllocation,_userTimelock,_issuerTimelock) (contracts/RocketJoeFactory.sol#135-146)
        State variables written after the call(s):
        - getRJLaunchEvent[_token] = launchEvent (contracts/RocketJoeFactory.sol#148)

Reentrancy in RocketJoeStaking.deposit(uint256) (contracts/RocketJoeStaking.sol#96-112):
        External calls:
        - updatePool() (contracts/RocketJoeStaking.sol#99)
                - rJoe.mint(address(this),rJoeReward) (contracts/RocketJoeStaking.sol#175)
        - _safeRJoeTransfer(msg.sender,pending) (contracts/RocketJoeStaking.sol#105)
                - rJoe.transfer(_to,rJoeBal) (contracts/RocketJoeStaking.sol#184)
                - rJoe.transfer(_to,_amount) (contracts/RocketJoeStaking.sol#186)
        State variables written after the call(s):
        - user.amount = user.amount + _amount (contracts/RocketJoeStaking.sol#107)
        - user.rewardDebt = (user.amount * accRJoePerShare) / PRECISION (contracts/RocketJoeStaking.sol#108)

Reentrancy in RocketJoeStaking.withdraw(uint256) (contracts/RocketJoeStaking.sol#116-135):
        External calls:
        - updatePool() (contracts/RocketJoeStaking.sol#123)
                - rJoe.mint(address(this),rJoeReward) (contracts/RocketJoeStaking.sol#175)
        State variables written after the call(s):
        - user.amount = user.amount - _amount (contracts/RocketJoeStaking.sol#129)
        - user.rewardDebt = (user.amount * accRJoePerShare) / PRECISION (contracts/RocketJoeStaking.sol#130)

Reentrancy in LaunchEvent.createPair() (contracts/LaunchEvent.sol#377-435):
        External calls:
        - WAVAX.approve(address(router),wavaxReserve) (contracts/LaunchEvent.sol#407)
        - token.approve(address(router),tokenAllocated) (contracts/LaunchEvent.sol#408)
        - (None,None,lpSupply) = router.addLiquidity(wavaxAddress,tokenAddress,wavaxReserve,tokenAllocated,wavaxReserve,tokenAllocated,address(this),block.timestamp) (contracts/LaunchEvent.sol#411-420)
        State variables written after the call(s):
        - tokenReserve -= tokenAllocated (contracts/LaunchEvent.sol#426)
        - wavaxReserve = 0 (contracts/LaunchEvent.sol#424)

Reentrancy in RocketJoeFactory.setRJoe(address) (contracts/RocketJoeFactory.sol#159-163)
Reentrancy in RocketJoeFactory.createRJLaunchEvent(address,uint256,address,uint256,uint256,uint256,uint256,uint256,uint256,uint256,uint256) (contracts/RocketJoeFactory.sol#98-155)
Reentrancy in RocketJoeFactory.constructor(address,address,address,address,address,address) (contracts/RocketJoeFactory.sol#45-72)

Recommended Mitigation Steps

use Reentrancy guard from OZ.