Submission Details
Severity:
Use of transfer() Instead of call() for Sending ETH
Summary
The withdrawFees() function uses transfer(), which has a fixed gas stipend and may fail.
Vulnerability Details
Location: src/TrickOrTreat.sol:withdrawFees()
Proof of Concept:
function testUnsafeETHTransfer() public {
// Fund the contract
vm.deal(address(spookySwap), 1 ether);
// Create a contract that rejects ETH transfers
ETHRejecter rejecter = new ETHRejecter();
// Change the owner to the ETHRejecter contract
vm.prank(owner);
spookySwap.changeOwner(address(rejecter));
// Try to withdraw fees
vm.expectRevert();
spookySwap.withdrawFees();
// Verify that the contract balance hasn't changed
assertEq(address(spookySwap).balance, 1 ether, "Contract balance should remain unchanged");
assertEq(address(rejecter).balance, 0, "Rejecter contract should not have received any ETH");
}
contract ETHRejecter {
receive() external payable {
revert("I reject ETH");
}
}
Impact
This could lead to stuck funds if the recipient is a contract with a complex fallback function or if gas costs increase significantly.
Tools Used
Forge
Recommendations
Use call() with proper checks for sending ETH.
Updates
Appeal created
bube about 1 year ago
Submission Judgement Published Assigned finding tags:
Use of `transfer` instead of `call`
Rewards breakdown
nSLOC
109This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.