045.md

Square Flint Grasshopper

High

Reentrancy Vulnerability in withdrawGraduatedMarketFunds Allows Contract Draining

Summary

The withdrawGraduatedMarketFunds function in the contract contains a reentrancy vulnerability. The _sendEth() function is called before resetting the marketFunds[profileId] value to 0. This allows a malicious contract to reenter the function and repeatedly withdraw funds associated with the same profileId, potentially draining the contract's funds.

Root Cause

In ReputationMarket.sol:675 is sent arketFunds[profileId] wei which assume is not zero. In ReputationMarket.sol:677 it is reset to zero, but before it can be recalled and arketFunds[profileId] will have old, not updated value.

Internal pre-conditions

1. Authorized account try to take more eth than it should.

External pre-conditions

No response

Attack Path

1. Attacker creates contract which has implemented receive() and implement calling withdrawGraduatedMarketFunds funciton in it.
2. It calls function withdrawGraduatedMarketFunds.
3. Function is recalled and eth is transferred to the contract

Impact

The contract may be drained(ETH only) if wrong contract will be passed as trusted.

PoC

No response

Mitigation

reinit value to new variable and reset marketFunds[profileId] before sending ether to the sender.