Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Use call() instead of transfer()

wttt

Summary

Use call() instead of transfer()

Vulnerability Details

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L169

payable(msg.sender).transfer(claimAbleAmount);

Gas costs are variable, so smart contracts cannot rely on any specific Gas cost.
Any smart contract that uses transfer() or send() is hard-wired to generate a 2300 Gas cost by forwarding a fixed amount of Gas.

Impact

msg.sender cannot receive funds normally, and this vulnerability always exists in smart contracts.

Tools Used

Manual review

Recommendations

When using call(), there is no fixed gas limit. This allows the receiving contract to execute more complex logic. All relevant state variables have been updated before this call to prevent reentrancy attacks.

// ... existing code ...
// Replace this line
// payable(msg.sender).transfer(claimAbleAmount);
// Use call
(bool success, ) = payable(msg.sender).call{value: claimAbleAmount}("");
require(success, "ETH transfer failed");
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-TokenManager-withdraw-transfer-2300-gas

Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.