Impossibility of reentrancy in the queue-processing functions
Though the processDepositQueue()
and processWithdrawalQueue()
functions appear to allow reentrancy using the vault.deposit(...)
and vault.redeem(...)
external calls, respectively, the root cause of this issue is that vault addresses are unchecked in many functions — which is already covered in finding ref↗.
Cega added ReentrancyGuard to the FCNProduct contract in commit d73733fb↗