The transfer
function is used to send Ether to users at the end of the game. While transfer
is a commonly used method for sending funds, it comes with certain limitations that can cause security issues, especially in contracts that interact with other contracts or users with complex logic.
The vulnerability lies in the use of transfer
to send Ether in the endGame
function. Although transfer
is simple and generally considered safe for sending small amounts of Ether, it has several issues that can cause failures:
Gas Limitation: transfer
sends only 2300 gas to the receiving contract, which may be insufficient if the receiving contract performs complex operations or modifies its state.
Future Incompatibility: As the Ethereum Virtual Machine (EVM) evolves, the gas cost of certain operations may increase, causing 2300 gas to become insufficient in the future.
This means that if the receiving contract requires more gas to perform necessary operations, the transfer will fail.
Funds indirectly at risk: If the receiving contract requires more gas to execute its logic, the transfer will fail, potentially leaving funds trapped in the contract and not properly transferred to the player.
Disruption in functionality: This issue could cause a disruption in the functionality of the system, especially if the contract is integrated with other contracts that need to perform complex operations when receiving Ether.
Scalability and sustainability: As the EVM evolves, this issue could become more critical, as the gas required for certain operations may increase, exacerbating failures when using transfer
.
Manual Review
To mitigate this issue, it is recommended to replace transfer
with call
, which allows for more flexibility by passing all available gas to the receiving contract. This ensures that the receiving contract can execute its logic without being restricted by the 2300 gas limit imposed by transfer
. Additionally, using call
is considered a more future-proof solution, as it provides greater compatibility with evolving gas costs.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.