I was reviewing MystenLabs/sui and found something in bridge/evm/contracts/BridgeVault.sol line 62 that might need attention.
(bool success,) = recipientAddress.call{value: amount}("");
Potential reentrancy — external call before state update. If balances are updated after the call, an attacker can drain funds via re-entrant calls.
Worth a look to see if this is accounted for elsewhere — could be a real issue depending on the surrounding context.
I was reviewing MystenLabs/sui and found something in
bridge/evm/contracts/BridgeVault.sol line 62that might need attention.(bool success,) = recipientAddress.call{value: amount}("");
Potential reentrancy — external call before state update. If balances are updated after the call, an attacker can drain funds via re-entrant calls.
Worth a look to see if this is accounted for elsewhere — could be a real issue depending on the surrounding context.