Description

Most of the public and external functions lack reentrancy guards. Applying a guard to all functions that are not intended to be reentrant greatly simplifies reasoning about the actions that a malicious contract could perform on Voyage and reduces the attack surface.

Impact

The lack of reentrancy guards increases the attack surface reachable by any malicious contract that could be invoked by Voyage.

Recommendations

We recommend applying guards to all functions that are not designed to be reentrant. We note that the diamond pattern adopted by Voyage might require a custom implementation of reentrancy guards, in order to use the shared diamond storage contract to store the flag tracking the contract state. We further note that the diamond pattern requires allowing direct self-reentrancy, slightly limiting how restrictive a reentrancy guard could be.

Remediation

Voyage has indicated they have applied reentrancy gaurds to the majority of external functions. They have further clarified that they beleive that all external functions which do not have reentrancy gaurds are not vulnerable.