Beginner FriendlyFoundryDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

Potential Failure When Sending ETH to Contracts

Summary

The unstake function uses the send method to transfer ETH, which may fail if the recipient address is a contract that does not accept ETH transfers.

Vulnerability Details

In the unstake function :

send(_to, _amount)

The send method attempts to transfer ETH to the address specified by _to. In Vyper, if the recipient address is a contract, and this contract does not include a __default__(_name: type) external payable function to handle incoming ETH (which is invoked when ETH is sent to the contract), the transfer will fail. Contracts that do not have this function will not be able to accept ETH, leading to a failed transaction when using send.

Impact

If the recipient address is a contract without a proper __default__ function or equivalent to accept ETH, the transaction will fail. This can result in the failure of unstaking operations and potential loss of ETH, as the transfer cannot be completed.

Tools Used

Manual Code Review

Recommendations

To ensure reliable ETH transfers in the unstake function, first, implement a check to verify if the recipient address is a contract and ensure that it can handle ETH transfers. Before executing the transfer, capture the contract's ETH balance, and then perform the transfer. Afterward, verify that the contract's balance has decreased by the exact amount transferred. This process helps confirm that the transfer was successful and that the recipient can handle ETH, reducing the risk of failed transactions or lost funds.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Usage of send is not the best thing

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.