Reentry attack vulnerability in Campaign.sol

Question

Reentry attack vulnerability in Campaign.sol

sergeny opened this issue 6 years ago · comments

   function finalizeRequest(uint index) public restricted {
        Request storage request = requests[index];

        require(request.approvalCount > (approversCount / 2));
        require(!request.complete);

        request.recipient.transfer(request.value);
        request.complete = true;
    }

When we are sending money to the recipient, nothing prevents a second recursive call to finalizeRequest. Even though the function is restricted, the recipient could pass control to the manager, who would then execute a recursive call. In this way, the manager, in cooperation with a vendor, could get an approval for a small amount, but withdraw many times that amount.

Technically, it would a solution to check that manager is a human and not a smart contract, but no such check is being done. Furthermore, one could make an innocent-looking smart contract, pretending it's just a convenience tool for the manager, in case someone decides to look, but keep it upgradable to leave a backdoor.

Update: the proposed solution is to interchange the last two lines, setting the flag to true before doing the transfer.

Corey Pennington · Answer 1 · Fri Aug 03 2018 12:16:39 GMT+0800 (China Standard Time)

Just wondering what exactly was the fix?

Corey Pennington · Answer 2 · Fri Aug 03 2018 12:16:54 GMT+0800 (China Standard Time)

Git diff I guess

Sergey Orshanskiy · Answer 3 · Fri Aug 03 2018 12:18:07 GMT+0800 (China Standard Time)

You could swap the last two lines, setting complete to true before doing the transfer.