Report #14848

Report Date
December 17, 2022


Report Info

BIC Response

This is not a security bug report because the report outlines expected functionality. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse. See the Risk section of the Pipeline whitepaper: https://evmpipeline.org/pipeline.pdf#section.6

Due to these reasons, we are closing the submission and no reward will be issued.

Halborn Response

Yes this is true, however it does not make any sense considering how Pipeline is going to be used. And it is a risk already assumed in the documentation that if there is any funds left in there they can be stolen.

Moreover if the attacker controls the destination address, previously introduced by the client, the reentrancy also is meaningless as the damage is evident. But I guess that risk is already assumed as any call to a malicious address.

Nevertheless, I dont come up to a scenario where a called contract from piepeline needs to callback Pipeline.