Withdrawing funds may get stuck due to transfer gas limit
Summary
Withdrawing funds may get stuck due to transfer gas limit
Vulnerability Details
Using payable(msg.sender).transfer(claimAbleAmount); can be an issue because it might fail if the msg.sender is a contract with a complex fallback function or if the gas cost of the transaction is high. The transfer method only forwards a limited amount of gas (2300 units), which is enough for simple operations but not for more complex contract functions.
If msg.sender is a contract with a fallback function that requires more than 2300 gas to execute, the transfer will fail, causing the entire TokenManager::withdraw function to revert. This means the user won’t receive their withdrawal amount, and the transaction will fail, even though the contract has enough funds to pay them.
As a result users(contracts) might not get their payments due to gas limitations.
Impact
Impact: High
Likelihood: Low
Proof of Concept
By calling the TokenManager::withdraw provided that the msg.sender has something to withdraw, and the msg.sender is a contract whose receive()/fallback() functions which would require more than 2300 gas to execute.
Tools Used
Manual Review
Recommendations
Inside TokenManager::withdraw use .call instead of transfer():
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-transfer-2300-gas
Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.