Refund failure due to gas limit restrictions
Summary
The transfer() function in the _refundETH method may fail when the recipient is a contract due to the gas limit restriction imposed by Ethereum, which could prevent the user from receiving their funds.
Vulnerability Details
When attempting to transfer Ether to a contract, the transfer() method only provides 2300 gas, which is sufficient for simple transfers but may not be enough for contracts with more complex logic in their receive() or fallback() functions. As a result, this could lead to failed refunds for contracts and the inability for users to claim their Ether.
Impact
If the recipient is a contract, the transaction may fail due to insufficient gas, meaning that the user will not receive their refund. This can prevent users from accessing the funds they are entitled to, potentially leading to dissatisfaction and loss of trust in the platform.
Tools Used
Manual code review
Recommendations
To avoid this issue, it's recommended to use the call method instead of transfer to send Ether, as it allows more gas to be provided for the transaction and following the CEI pattern
Lead Judging Commences
transfer instead of call
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.