The order of operations in the _moveTokensAndETHfromAdjustment
function in the BorrowOperations
contract may allow an attacker to cause events to be emitted out of order.
In the event that the borrower is a contract, this could trigger a callback into BorrowerOperations
, executing the _adjustTrove
flow above again.
As the _moveTokensAndETHfromAdjustment
call is the final operation in the function the state of the system on-chain cannot be manipulated. However, there are events that are emitted after this call.
In the event of a reentrant call, these events would be emitted in the incorrect order.
The event for the second operation i s emitted first, followed by the event for the first operation.
Any off-chain monitoring tools may now have an inconsistent view of on-chain state.
Apply the checks-effects-interactions pattern and move the event emissions above the call to _moveTokensAndETHfromAdjustment
to avoid the potential reentrancy.
- ToB Audit Liquidity Finding 6
- Undefined Behavior Logging
- REentrancy -> Event Ordering
- Apply CEI Pattern