Is my withdraw function vulnerable to reentrancy?

novemmask · June 4, 2024, 4:56pm

I have a pay ETH function in my smart contract. I deployed it ages ago and only just realized it might be vulnerable to reentrancy attacks.
Is it? I know that the msg.sender.transfer() max gas is 2300 but I don't know if its still vulnerable..

function payETH() external payable {
    uint256 amount = msg.value;
    uint256 existing = ethLoaned[msg.sender];
    if (amount > existing) {
        msg.sender.transfer(amount - existing);
        amount = existing;
    }
    ethLoaned[msg.sender] -= amount;
    emit Payback(msg.sender, amount);
}

Team_X · June 9, 2024, 5:49pm

yes, it is vulnerable to reentrancy attacks. Do not use the contract any further and try to withdraw any funds you may have deposited.

novemmask · June 9, 2024, 6:36pm

But what about the 2300 gas fee? Wouldn't it be safe to reentrancy attacks because it limits gas fees

cairoeth · June 11, 2024, 5:37pm

Correct -- as of the current state, that non-reentrancy assumption holds up as it's is enforced by EIP-2200, However, this can change in future network upgrades.

It's recommended to prevent reentrancy more explicitly, like by using ReentrancyGuard.

Topic		Replies	Views
Is this function vulnerable to a reentrancy attack? Smart Contracts	10	820	August 15, 2022
SafeERC20.sol / safeTransfer reentrancy Security	2	2484	June 8, 2022
Withdraw() executed on-chain or off-chain? (msg.sender safe as auth?) Contracts	2	643	February 9, 2022
High gas fee on withdrawn function Smart Contracts	5	398	June 28, 2022
Can't solve Re-entrancy challenge #10 Ethernaut	1	641	December 17, 2022

Is my withdraw function vulnerable to reentrancy?

Related topics