Story
Your team launched a creator tipping product where fans send ETH to streamers and artists. It went viral after a product launch campaign, and treasury volume increased quickly.
Two days later, a bug bounty researcher reports that a creator account can withdraw more ether than it earned.
System Context
The lab contains a runnable Hardhat project:
contracts/TipJarVault.solvulnerable vault contractcontracts/ReentrancyAttacker.solattacker contractscripts/demoAttack.jsreproduction scripttest/reentrancy.attack.spec.jsautomated exploit check
Expected behavior: each creator should only withdraw up to their tracked balance.
Problem
The withdrawal flow performs an external value transfer to caller-controlled code before internal accounting is fully finalized. If the caller is a contract, its callback can invoke the withdrawal path again inside the same transaction context while prior balance assumptions are still in play. This creates a mismatch between recorded balances and actual value movement, allowing repeated payouts and treasury loss.
Goal
Find the exact vulnerable line in the project code.