Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Using transfer instead of call may disallow interaction with some contracts to Sign-up

icon0x

Vulnerability Details

The use of transfer() (with its fixed 2300 gas stipend) instead of call() for sending ETH can cause transactions to fail when interacting with recipient contracts that have complex receive/fallback functions. This limitation prevents compatibility with contracts requiring more than 2300 gas for their receive logic, potentially breaking core contract functionality and creating poor user experience.

function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
@> _to.transfer(refundValue);
etherBalance[_to] = 0;
}

Impact

Complex recipient contract functions requiring more than 2300 gas will cause refundEth to fail permanently, and preventing the user from getting refund before deadline.

Recommended Mitigation

To mitigate this issue, consider use call for withdrawing ether instead of transfer. Moreover, the refund function is prevent against reentrancy attack.

function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
- _to.transfer(refundValue);
+ (bool success, ) = _to.call{value: refundValue}("");
+ require(success);
etherBalance[_to] = 0;
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

transfer instead of call

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!