Re-entrancy Vulnerablility #3
Description
Credit to Liam Zebedee for finding this bug
The following if from Liam's email notifying us of the vulnerability:
Exploit mechanism: Re-entrancy attacks
If the ERC20.transferFrom call is re-entrant, meaning it will maliciously call back into the Subscription, it is possible to exploit some facts:
//increment the timestamp by the period so it wont be valid until then
nextValidTimestamp[subscriptionHash] = block.timestamp.add(periodSeconds);
This is executed before transferFrom - so a malicious actor (who specifically has engineered their own proxy contract to with a valid nonce/sig for re-entrant calls) can effectively extend their subscription period by periodSeconds every call. Infinite Netflix anyone?