The withdrawal function uses `transfer` instead of `call` to transfer ETH, this can lead to loss of funds for smart contract accounts
Summary
When withdrawing and ETH, the TokenManager.sol contract uses Solidity’s transfer() function.
Vulnerability Details
Using Solidity's transfer() function has some notable shortcomings when the withdrawer is a smart contract, making ETH deposits impossible to withdraw. Specifically, the withdrawal will inevitably fail when:
The withdrawer smart contract does not implement a payable fallback function.
The withdrawer smart contract implements a payable fallback function that uses more than 2300 gas units.
The withdrawer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through a proxy that raises the call’s gas usage above 2300.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L169
Impact
Loss of Funds because withdrawal will fail
Tools Used
Manual Analysis
Recommendations
Use call instead of transfer.
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-transfer-2300-gas
Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.