Withdrawals can be locked forever if recipient is a contract
Summary
The withdraw() function in the TokenManager contract uses the transfer() method to send ETH to the recipient. However, transfer() only forwards 2300 gas, which is insufficient for the recipient to execute any non-trivial logic in a receive() or fallback function. If the recipient is a contract that requires more gas, they will be unable to withdraw their ETH, resulting in the ETH being permanently locked in the contract.
Vulnerability Details
The withdraw() function in the TokenManager contract allows users to withdraw their balance from the pool. For ETH withdrawals, the function uses the transfer() method:
The transfer() method is known for only forwarding 2300 gas to the recipient. This limitation is often sufficient for simple transfers to externally owned accounts (EOAs) but can cause issues when the recipient is a contract with a receive() or fallback function that requires more gas to execute.
If the recipient is a contract, such as the authority of an offer or taker, and the collateral is in ETH, the contract will be unable to withdraw ETH if its receive() or fallback function if it requires more than 2300 gas.
Impact
The use of transfer() in the withdraw() function can lead to the permanent locking of ETH within the contract, when the recipient is a contract requiring more than 2300 gas to execute its logic.
Tools Used
vscode
Recommendations
Use the call() method instead of transfer() and avoid reentrancy.
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-transfer-2300-gas
Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.