Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Deprecated transfer Method Used in _refundETH Function

bryanconquer

Summary

The _refundETH function uses the transfer method to send Ether to users. This method has been deprecated due to its hard-coded gas stipend of 2300, which can cause transactions to fail if the recipient's address includes higher gas usage in their fallback or receive function. This issue can result in users being unable to withdraw their Ether, leaving funds stuck in the contract.

Vulnerability Details

function _refundETH(address payable _to) internal {
uint256 refundValue = etherBalance[_to];
_to.transfer(refundValue); < @audit deprecated
etherBalance[_to] = 0;
}

Impact

Ether Stuck in Contract: Users may be unable to successfully withdraw their Ether.

  • Reduced Usability: Legitimate withdrawals fail, frustrating users and damaging trust in the contract.

Tools Used

manual review

Recommendations

Replace the transfer method with the call method, which allows specifying the gas limit dynamically and ensures compatibility with a broader range of recipient addresses.

Updated _refundETH Function:

function _refundETH(address payable _to) private {
uint256 refundAmount = ethBalance[_to];
require(refundAmount > 0, "No ETH to refund");
ethBalance[_to] = 0;
// Replace transfer with call
(bool success, ) = _to.call{value: refundAmount}("");
require(success, "ETH transfer failed");
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

transfer instead of call

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.