Funds can be locked forever
Summary
The TokenManager:Withdraw() function may cause issues when withdrawing funds if the recipient's contract requires more than 2300 gas for its receive() or fallback functions. This can lead to permanently locked funds in the contract, particularly when the withdrawal is initiated from a smart contract or multisig or smart contract wallet.
Vulnerability Details
The TokenManager:Withdraw() function is used to withdraw funds from the user, if the token address is of wrappedNativeToken Then it calls the withdraw function of NativeToken contract. and the ether received by the contract TokenManager is send to the user using the transfer function.
However, transfer() only forwards 2300 gas, which is not enough for the recipient to execute any non-trivial logic in a receive() or fallback function.
If a user calls withdraw() from a contract account like a multisig or smart contract wallet that has a receive() function requiring >2300 gas, their subsequent claim() call will fail permanently. And the user will not be able to withdraw those eth, and those will get locked forever.
Impact
Locking of funds
Tools Used
Manual
Recommendations
Use call() instead of transfer() .
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-transfer-2300-gas
Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.