### Basic idea
ERC1155Upgradeable constract that our RenodeBonding contract uses , is calling _mint() inside bond() function . This bond()function is setting to be external . So it is satisfied with users .
>_mint(_msgSender(), nftIds[_type][_amount], 1, "0x");
This mint function in ERC1155Upgradeable contract is defined as :
function _mint(address to, uint256 id, uint256 amount, bytes memory data) internal {
if (to == address(0)) {
revert ERC1155InvalidReceiver(address(0));
}
(uint256[] memory ids, uint256[] memory amounts) = _asSingletonArrays(id, amount);
_update(address(0), to, ids, amounts, data);
}
which is calling _update() internally , let's take a look at it .
function _update(
address from,
address to,
uint256[] memory ids,
uint256[] memory amounts,
bytes memory data
) internal virtual {
if (ids.length != amounts.length) {
revert ERC1155InvalidArrayLength(ids.length, amounts.length);
}
address operator = _msgSender();
for (uint256 i = 0; i < ids.length; ++i) {
uint256 id = ids.unsafeMemoryAccess(i);
uint256 amount = amounts.unsafeMemoryAccess(i);
if (from != address(0)) {
uint256 fromBalance = _balances[id][from];
if (fromBalance < amount) {
revert ERC1155InsufficientBalance(from, fromBalance, amount, id);
}
unchecked {
_balances[id][from] = fromBalance - amount;
}
}
if (to != address(0)) {
_balances[id][to] += amount;
}
}
if (ids.length == 1) {
uint256 id = ids.unsafeMemoryAccess(0);
uint256 amount = amounts.unsafeMemoryAccess(0);
emit TransferSingle(operator, from, to, id, amount);
if (to != address(0)) {
_doSafeTransferAcceptanceCheck(operator, from, to, id, amount, data);
}
} else {
emit TransferBatch(operator, from, to, ids, amounts);
if (to != address(0)) {
_doSafeBatchTransferAcceptanceCheck(operator, from, to, ids, amounts, data);
}
}
}
Focus on the last if block , we are calling _doSafeBatchTransferAcceptanceCheck function . This meets the case where the resource material.
Specifically function _doSafeBatchTransferAcceptanceCheck is calling address to in the middle . This would potentially cause re-entrancy if the called address is calling back to our contract functions .
### Migations
Add non-reentrant modifier to bond() function or any other external function that calls erc1155's mint() inside .
### Resource
https://www.rareskills.io/post/where-to-find-solidity-reentrancy-attacks
Sign in with Wallet
Connect another wallet