Assessment reports>H20 vlPSDN>Discussion>Follow checks-effects-interactions pattern

Follow checks-effects-interactions pattern

We recommend following the checks-effects-interactions pattern in LockRewards._withdraw by changing the state of the contract before calling the external contract. Although we did not identify any reentrancy attacks, it is a best practice to prioritize security and prevent potential future attacks.

function _withdraw(uint256 amount) internal {
    if (amount == 0 || accounts[msg.sender].balance < amount) revert InsufficientAmount();
    if (accounts[msg.sender].lockEpochs > 0 && enforceTime) revert FundsInLockPeriod(accounts[msg.sender].balance);

    IERC20(lockToken).safeTransfer(msg.sender, amount);
    totalAssets -= amount;
    accounts[msg.sender].balance -= amount;
    emit Withdrawn(msg.sender, amount);
}

Remediation

The issue has been fixed by H20 in commit b605322d.

Zellic © 2023Back to top ↑