I was reviewing MystenLabs/sui and found something in bridge/evm/contracts/SuiBridgeV2.sol line 152 that might need attention.
(bool success,) = payable(address(vault)).call{value: amount}("");
Potential reentrancy — external call before state update. If balances are updated after the call, an attacker can drain funds via re-entrant calls.
Worth a look to see if this is accounted for elsewhere — could be a real issue depending on the surrounding context.
I was reviewing MystenLabs/sui and found something in
bridge/evm/contracts/SuiBridgeV2.sol line 152that might need attention.(bool success,) = payable(address(vault)).call{value: amount}("");
Potential reentrancy — external call before state update. If balances are updated after the call, an attacker can drain funds via re-entrant calls.
Worth a look to see if this is accounted for elsewhere — could be a real issue depending on the surrounding context.