Post

Share your knowledge.

May 31, 2024

Discussion

Reentrancy Vulnerability

Hello everyone , I've noticed that the offer function uses the .call{value: amount}("") method to send Ether to the recipient's address.

Could anyone provide insight into whether this function is indeed vulnerable to reentrancy and suggest any best practices or modifications to mitigate such risks?

function _offer(address to, uint256 amount) internal {

      balance -= amount;

      (bool success, ) = to.call{value: amount}("");
      if (!success) {
          revert TransferFailed(address(0), address(this), to, amount);
      }
  }

Smart Contract
Solidity
Solidity Compiler

Comments

Answers

0x0304...a95811

Aug 11 2024, 15:15

One of the best practice in Solidity is CEI (Checks, Effects, Interactions). It describes the order of how your code is structured to avoid unexpected behaviour or malicious execution.

Checks would be implementing some require to be sure the parameters in your function are correct. There isn't any in your _offer() function, but you could add for exemple require(balance >= amount); (not necessary) at the beginning of your function to be sure that the user doesn't spend more than what he owns.

Effects are basically changing the state variables of your contract in order to suit what you want it to be now. Here, it's the line balance -= amount;, reducing the users balance.

Interactions are calls to other contracts/addresses that might trigger some unknown code (for exemple when you call to send money, it might trigger a receive() function of the smart contract calling your function).

Because you follow this rule in this code, no re-entrancy should be possible.

Comments

Do you know the answer?

Please log in and share it.

Solidity soliditylang.org

Solidity is an object-oriented, high-level language for implementing smart contracts. It is a curly-bracket language designed to target the Ethereum Virtual Machine (EVM).

44Posts39Answers