Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Using transfer instead of call may disallow interaction with some contracts

icon0x

Summary

Vulnerability Details

The use of transfer() (with its fixed 2300 gas stipend) instead of call() for sending ETH can cause transactions to fail when interacting with recipient contracts that have complex receive/fallback functions. This limitation prevents compatibility with contracts requiring more than 2300 gas for their receive logic, potentially breaking core contract functionality and creating poor user experience.

function withdrawFees() public onlyOwner {
uint256 balance = address(this).balance;
// @audit-info use transfer to withdraw the fund can impose some vulnerability
@> payable(owner()).transfer(balance);
emit FeeWithdrawn(owner(), balance);
}

Impact

Complex recipient contract functions requiring more than 2300 gas will cause withdrawals to fail permanently, effectively locking funds in the contract and preventing the owner from accessing their fees.

Tools Used

Recommendations

Use the call method with reentrancy guards in order to mitigate this issue

function withdrawFees() public onlyOwner {
uint256 balance = address(this).balance;
// @audit-info use transfer to withdraw the fund can impose some vulnerability
- payable(owner()).transfer(balance);
+ (bool success, ) = payable(owner()).call{value: balance}("");
+ require(success);
emit FeeWithdrawn(owner(), balance);
}
Updates

Appeal created

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Use of `transfer` instead of `call`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.