usage of transfer instead of call
Summary
Vulnerability Details
Even though the issue was reported by LightChaser it was partially reported, so this report is going to enhance it. The issue originates from the fact that using transfer() is not reccomended anymore due to it's low gas usage restriction. As a result a big number of the modern smart contract txs will fail. Their fallback(), receive() just take more gas.
An instance of the issue is reported by LightChaser inTokenManager.withdraw(), however it was not discovered in Rescuable.rescue(). This is with way bigger impact than withdraw because a big number of the protocol contracts inhering Rescuable.
Another thing that was missed from the LightChaser report is that the withdraw proccess is more complex. In some instances users need to settle their ask/bid offers first, and only after that they are able to withdraw the deposited funds.
Impact
Users using smart contracts whose fallback or receive functions take > 2300 gas cannot receive their WETH, nor the protocol can rescue funds to some addresses whose fallback(),receive() require more than that amount of gas.
Tools Used
Recommendations
Use call{}(), instead of transfer() when transfering ETH
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-transfer-2300-gas
Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.