Summary

If possibile avoid low level call. Low level call returns true if the address doesn't exist.

Vulnerability Details

As written in the solidity documentation (warning section):
"The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed." (ref. https://docs.soliditylang.org/en/develop/control-structures.html#error-handling-assert-require-revert-and-exceptions)

Impact

If the address isn't a valid address, the contract is sending a value amount to this address thereby leading to a loss of funds.

Tools Used

Slither

Recommendations

To mitigate this issue, it's generally recommended to avoid using the call function wherever possible, and to use higher-level functions like send or transfer instead. These higher-level functions provide more safety guarantees and are less prone to errors and vulnerabilities. It is also important to validate the to addresses before sending the value. If it isn't possible to avoid the call function, check before any low-level call that the address actually exists and is valid.