Submission Details
Severity:
L-01: `transfer()` is deprecated and should not be used to transfer Ether
Summary
In ChristmasDinner::_refundETH(), transfer() is used to send ether. This is not recommended as transfer() sends a fixed gas of 2300 and is deprecated, which may not be sufficient in the future if the EVM gas costs changes. This will cause the funds in the contract to be stucked.
Vulnerability Details
function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
-> _to.transfer(refundValue);
etherBalance[_to] = 0;
}
Impact
Sent gas may not be sufficient in the future if the EVM gas costs changes. This will cause the funds in the contract to be stucked.
Tools Used
Recommendations
transfer() has been deprecated and call() should be used instead.
function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
- _to.transfer(refundValue);
+ (bool success,) = _to.call{value: refundValue}("");
+ require(success);
etherBalance[_to] = 0;
}
Updates
Lead Judging Commences
0xtimefliez about 1 year ago
Submission Judgement Published Assigned finding tags:
transfer instead of call
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.