Submission Details
Severity:
Use of transfer() Instead of call() for Sending ETH
Summary
The withdrawFees() function uses transfer(), which has a fixed gas stipend and may fail.
Vulnerability Details
Location: src/TrickOrTreat.sol:withdrawFees()
Proof of Concept:
function testUnsafeETHTransfer() public {
// Fund the contract
vm.deal(address(spookySwap), 1 ether);
// Create a contract that rejects ETH transfers
ETHRejecter rejecter = new ETHRejecter();
// Change the owner to the ETHRejecter contract
vm.prank(owner);
spookySwap.changeOwner(address(rejecter));
// Try to withdraw fees
vm.expectRevert();
spookySwap.withdrawFees();
// Verify that the contract balance hasn't changed
assertEq(address(spookySwap).balance, 1 ether, "Contract balance should remain unchanged");
assertEq(address(rejecter).balance, 0, "Rejecter contract should not have received any ETH");
}
contract ETHRejecter {
receive() external payable {
revert("I reject ETH");
}
}
Impact
This could lead to stuck funds if the recipient is a contract with a complex fallback function or if gas costs increase significantly.
Tools Used
Forge
Recommendations
Use call() with proper checks for sending ETH.
Updates
Appeal created
bube 11 months ago
Submission Judgement Published Assigned finding tags:
Use of `transfer` instead of `call`
Rewards breakdown
nSLOC
109This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.