Skip to content

Add protection to prevent reentrancy from malicious token contract #32

Description

@romanzac

Problem

The test__ReentrancyProtectionRegister and test__ReentrancyProtectionWithdraw are currently failing - reentrancy attempt on register and withdrawal is possible if TOKEN is a malicious contract. Wrong token contract could be configured by a mistake for long enough to let attacker attempt reentrancy. The current situation is:

  • register:
    reentrancy attack failed with low level error:
    "SafeERC20: low-level call failed"

  • withdraw:
    reentrancy attack failed with business logic preventing further calls:
    "Insufficient deposit balance"

Impact

Low occurrence, low impact.

To reproduce

  1. Please checkout de7b417
  2. cd waku-rlnv2-contract
  3. forge test --match-test test__ReentrancyProtectionRegister -vvvv
  4. forge test --match-test test__ReentrancyProtectionWithdraw -vvvv

Expected behavior

RLN contract should ideally provide strong guarantees for the users regardless of chain or TOKEN contract configured.

Screenshots/logs

test__ReentrancyProtectionRegister.log
test__ReentrancyProtectionWithdraw.log

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Fields

    No fields configured for Enhancement.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions