Platform: Code4rena
Start Date: 28/04/2022
Pot Size: $50,000 USDC
Total HM: 7
Participants: 43
Period: 5 days
Judge: gzeon
Total Solo HM: 2
Id: 115
League: ETH
Rank: 32/43
Findings: 1
Award: $89.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Dravee
Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, AlleyCat, Funen, GalloDaSballo, GimelSec, Hawkeye, MaratCerby, Picodes, berndartmueller, cccz, defsec, delfin454000, dipp, hyh, ilan, joestakey, kebabsec, luduvigo, pauliax, peritoflores, robee, rotcivegaf, samruna, shenwilly, sikorico, simon135, sorrynotsorry, unforgiven, z3s
89.0354 USDC - $89.04
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/DemandMinerV2.sol#L67 https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/DemandMinerV2.sol#L90
The functions deposit and withdraw in DemanMinerV2 are not conformant to CEI (Checks Effects Ineractions) as they transfer the token (external call) before performing internal checks and updates.
For this reason, if the contract was setup to use a token with hooks (e.g. ERC777) reEntrancy could be exploited, creating undefined scenarios
Add nonReentrant modifier to these functions
#0 - m19
2022-05-05T07:37:14Z
While the recommended CEI pattern isn't being followed a reentrancy attack is not actually possible, even with an ERC777 token. A reentrancy attack on the withdraw function would only work if the transfer happens between the check and the state update. We also don't see any way a reentrancy on the deposit function is possible.
#1 - gzeoneth
2022-06-05T12:36:43Z
Reentrancy without exploit. Downgrading to Low / QA.
#2 - gzeoneth
2022-06-05T16:30:32Z
Treating as warden's QA report.