Summary

The function does not specify gas constraints for the external call. An attacker could exploit this by submitting a high gas call, potentially draining contract funds or causing an out-of-gas issue.

Vulnerability Details

The function MembershipFactory::callExternalContract uses Solidity's call method to make an external call to another contract.

However, it does not specify a gas limit for the external call. The lack of gas limitations means that an attacker can send a malicious transaction with a large gas amount, leading to draining the contract’s balance or causing an out-of-gas exception, this could cause a denial of service (DoS) for users trying to call this function.

Impact

• Denial of Service (DoS): If the attacker uses excessive gas, the contract may run out of gas or be unable to complete the call, causing the function to fail.

• Funds Drain: If the external contract requires excessive gas or has been designed maliciously, it could consume more gas than expected, leading to funds being spent on gas and reducing the available balance for legitimate users.

Tools Used

• Manual analysis

Recommendations

To mitigate this issue, set a gas limit when calling an external contract, ensuring that calls are predictable and within an acceptable range.

This will prevent excessive gas consumption.