Skip to content

Latest commit

 

History

History
39 lines (21 loc) · 1.19 KB

File metadata and controls

39 lines (21 loc) · 1.19 KB

Ancient Fern Cormorant

High

both the in-scope contract are meant to be upgradable but inherit from the normal version of ReentrancyGuard

Summary

both the in-scope contract are meant to be upgradable but inherit from the non-upgradable version of ReentrancyGuard. This is a big problem because if the contract is upgraded, the storage of ReentracyGuard will be messed up, leading to unexpected behaviour or to ReentracyGuard functionality not working properly. https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L8 https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L11

Root Cause

Using the non-upgradable version of ReentrancyGuard

Internal pre-conditions

the protocol team wanting to upgrade the contract with some new variables and functionality

External pre-conditions

None

Attack Path

None

Impact

The ReentrancyGuard functionality won't work as intended.

PoC

No response

Mitigation

Use ReentrancyGuardUpgradable instead of ReentrancyGuard. It has namespaced storage which will prevent this from happening