Skip to content

Storage changes after external calls#

Low Risk

There are multiple instances where storage is updated after external calls are made. This opens up possibility for reentrancy related exploits. These functions are wrapped in nonReentrant modifier which fixes that to some degree. However, the modifier prevents only the functions that use it from being entered, where other functions could still be entered (updateCanvas for example). Although we did not notice an opportunity to exploit that, it would still be recommended to follow the "check effects interactions" pattern to make the code more secure.

Recommendation#

Make storage changes before executing external calls.

Minting.sol

  • Move line 484 before the transfer of ETH (L459 for example).
  • In defaultMint do fulfillMint first and handleFunds second.

Funds.sol

  • Move line 104 before the transfer of ETH (L81 for example).
  • Move line 173 before the transfer of ETH (L154 for example).
  • Move line 228 before the transfer of ETH (L209 for example).
  • Move line 286 before the transfer of ETH (L264 for example).