circuitBreaker overrides the state #38

code423n4 · 2021-06-14T20:19:56Z

Handle

pauliax

Vulnerability details

Impact

function circuitBreaker calls _incrementState but later sets the state itself again:
function _incrementState() internal {
assert(uint256(state) < 4);
state = States(uint256(state) + (1));
emit LogStateChange(uint256(state));
}

function circuitBreaker() external {
    require(
        block.timestamp > (uint256(oracleResolutionTime) + (12 weeks)),
        "Too early"
    );
    _incrementState();
    orderbook.closeMarket();
    state = States.WITHDRAW;
}

Recommended Mitigation Steps

state = States.WITHDRAW; shouldn't be there, or another solution would be to put it before orderbook.closeMarket(); and remove _incrementState(); instead but then LogStateChange event will also need to be emitted manually.

The text was updated successfully, but these errors were encountered:

Splidge · 2021-06-21T10:15:58Z

implemented here

code423n4 added 0 (Non-critical) bug Something isn't working labels Jun 14, 2021

code423n4 added a commit that referenced this issue Jun 14, 2021

pauliax issue #38

4048e8b

Splidge added the sponsor confirmed label Jun 15, 2021

Splidge added the resolved label Jun 21, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

circuitBreaker overrides the state #38

circuitBreaker overrides the state #38

code423n4 commented Jun 14, 2021

Splidge commented Jun 21, 2021

circuitBreaker overrides the state #38

circuitBreaker overrides the state #38

Comments

code423n4 commented Jun 14, 2021

Handle

Vulnerability details

Impact

Recommended Mitigation Steps

Splidge commented Jun 21, 2021