Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Unsafe ETH Refund Implementation

shrxyeh

Summary

The _refundETH function uses the deprecated transfer() method which has a 2300 gas limit and updates state after the external call.

Vulnerability Details

The _refundETH function uses the deprecated transfer() method, which has a fixed gas limit of 2300, potentially causing the refund to fail if more gas is needed. Additionally, it updates the contract state after the external call, violating the Checks-Effects-Interactions pattern. This introduces a reentrancy risk, as an attacker can exploit the lack of proper state updating before the transfer, allowing them to re-enter the contract and manipulate the state.

function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
_to.transfer(refundValue); // Uses transfer instead of call
etherBalance[_to] = 0; // State update after external call
}

Impact

  • Refunds could fail due to gas limitations

  • Violates Checks-Effects-Interactions pattern

  • Potential reentrancy risk

Tools Used

Foundry

Recommendations

function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
etherBalance[_to] = 0;
(bool success, ) = _to.call{value: refundValue}("");
require(success, "ETH transfer failed");
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

transfer instead of call

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.