SYM_SOL_0028 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Enforcement of Behavioral Workflow
| Property | Value |
|---|---|
| Language | solidity |
| Severity |  |
| CWE | CWE-841: Improper Enforcement of Behavioral Workflow |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
The borrowFresh() function in Compound updates critical state variables after transferring tokens out, which makes it vulnerable to reentrancy attacks. This order allows attackers to re-enter the function before the state is securely updated.
Impact
If exploited, an attacker could repeatedly borrow funds before their balance is adjusted, leading to unauthorized withdrawals and significant financial losses for the protocol. This could undermine trust and result in a total loss of user funds.