0xPsuedoPandit
medium
claimLoanNFT function in TellerV2.sol contract is vulnerable to reentrancy, a malicious lender can claim the NFT again.
When the lender claims NFT through claimLoanNFT, the call goes to registerLoan function of LenderManager contract and mints NFT for the lender but a malicious lender can reenter into the function since the only check he has to pass is " require(sender == bid.lender, "only lender can claim NFT");" now bid.lender is not updated yet which essentially allows the lender to pass the check again and claim the NFT.
The lender can take the unfair gains.
none
Manual Review
bid.lender should be updated before making call to registerLoan
bid.lender = address(lenderManager); lenderManager.registerLoan(_bidId, sender);
Now "sender == bid.lender" check in claimLoan function will not pass while reentering in the function. Put a mutex lock on the function.