Unprotected Curve Pool from Read-Only Reentrancy
Description
The $POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy, which can lead to potential security vulnerabilities.
Examples
Insecure Code
solidity
contract VulnerableContract { function getVirtualPrice() public { POOL.get_virtual_price(); } }Secure Code
solidity
contract SecureContract { function getVirtualPrice() public { // Ensure POOL.get_virtual_price() is not called within a re-enterable function } }Remediation
Protect the $POOL.get_virtual_price() call by ensuring it is not called within a function that can be re-entered, such as a function that calls $VAR.withdraw_admin_fees().
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0479 |
| Category | Crypto |
| Severity | HIGH |
| CWE | CWE-841 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | reentrancy, curve pool |
| OWASP | N/A |
References
- https://chainsecurity.com/heartbreaks-curve-lp-oracles/
- https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/