Submission Details
Severity:
Use `call()` instead of `transfer()`
Summary
ChristmasDinner::_refundETH uses transfer() function to send ethers from contract to the user. However, it is not recommened to use it.
Vulnerability Details
The transfer function is not recommended for sending native token due to its, 2300 gas unit limit. Instead, call can be used to circumvent the gas limit.
function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
@> _to.transfer(refundValue);
etherBalance[_to] = 0;
}
Impact
transfer() uses a fixed amount of gas, which can result in revert.
Tools Used
Manual, VSCode
Recommendations
Use call() instead of transfer()
function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
- _to.transfer(refundValue);
+ (bool success,) = to.call{value: refundValue}("");
etherBalance[_to] = 0;
}
Updates
Lead Judging Commences
0xtimefliez about 1 year ago
Submission Judgement Published Assigned finding tags:
transfer instead of call
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.