Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Unsafe ETH Transfer Method Can Lead to Permanent Fund Lock and Reentrancy

sstoqnov_

Summary

The withdrawFees() function implements ETH transfers using the deprecated .transfer() method with a fixed gas stipend of 2,300 gas. This implementation, combined with the lack of reentrancy protection, creates a serious security risk that could result in either permanent fund locking or potential reentrancy attacks.

Vulnerability Details

The vulnerability stems from three main issues:

Use of .transfer() which is hardcoded to 2,300 gas. Modern smart contract wallets often require more than 2,300 gas for their receive functions.

Lack of Reentrancy Protection because there's nononReentrant modifier. `withdrawFees()` function doesn't follow CEIs pattern

**Missing Success Verification: **The function doesn't verify if the transfer was successful

Impact

The vulnerability can lead to several several issues like:

Fund Locking
- If the owner address is a smart contract wallet requiring >2,300 gas, funds become permanently locked
- Network gas cost changes could make the function permanently unusable
** Potential Reentrancy**
- Without reentrancy protection, complex attack vectors could emerge
- Multiple withdrawals might be possible in a single transaction

Tools Used

Manual Review
Foundry

Recommendations

Make sure to add nonReentrant modifier from OpenZeppelin and replace transfer() with call(), because `call()` is not limited to 2300 gas. After that checks

function withdrawFees() public nonReentrant onlyOwner {

uint256 balance = address(this).balance;

+ require(balance > 0, "No fees to withdraw");

- payable(owner()).transfer(balance);

+ (bool success, ) = payable(owner()).call{value: balance}("");

+ require(success, "ETH transfer failed");

emit FeeWithdrawn(owner(), balance);

}

Updates

Appeal created

bube Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Use of `transfer` instead of `call`

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.