Improper Enforcement of Behavioral Workflow
| Property | |
|---|---|
| Language | solidity |
| Severity |  |
| CWE | CWE-841: Improper Enforcement of Behavioral Workflow |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The borrowFresh() function in Compound updates critical state variables after transferring tokens out, which makes it vulnerable to reentrancy attacks. This order allows attackers to re-enter the function before the state is securely updated.
Impact#
If exploited, an attacker could repeatedly borrow funds before their balance is adjusted, leading to unauthorized withdrawals and significant financial losses for the protocol. This could undermine trust and result in a total loss of user funds.