Participants can be blocked from getting a refund due to `transfer` usage
Summary
The contract uses the transfer method to send Ether to users when they request a refund. transfer imposes a gas limit of 2300 gas, which will block the user from receiving a refund if the user is a contract which requires more gas than that for receiving ETH.
Vulnerability Details
In the _refundETH function, the contract uses the transfer method to send Ether:
This method forwards a fixed gas stipend of 2300 gas, which is not always sufficient. If the participant is a contract that requires more gas to execute its logic (e.g. in their fallback function), the transaction will fail. This will block the user from getting a refund not only for their ETH, but also for their tokens, as the refund for both is done in the same transaction and the failure to refund the ETH will revert the token refund as well.
Impact
Participants can be blocked from getting a refund.
Tools Used
Recommendations
Replace the use of transfer with the call method, which allows for more gas to be forwarded and provides greater flexibility for interacting with contracts that have more complex logic. This ensures that the Ether transfer will succeed even if the recipient contract needs more gas to execute.
Here’s the updated version of the _refundETH function using call:
Lead Judging Commences
transfer instead of call
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.