Assessment reports>Avantis>Discussion>Checks-effects-interactions pattern broken

Checks-effects-interactions pattern broken

The function claimRebate transfers the USDC to the user before setting rebates to zero.

function claimRebate() external {
    usdc.transfer(msg.sender, rebates[msg.sender]);
    rebates[msg.sender] = 0;
}

Although this is currently not a security issue, if the protocol decides to use any other token in the future with hooks on transfer, it would be a security risk.

Zellic © 2025Back to top ↑