Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Code Improvement Report - GmxProxy.sol (Use call Instead of transfer)

hunterspartan5

Summary

Inside GmxProxy.sol, the following functions use the transfer function to send ETH:

function withdrawEth() external onlyOwner returns (uint256) {
uint256 balance = address(this).balance;
payable(msg.sender).transfer(balance);
return balance;
}
function refundExecutionFee(address recipient, uint256 amount) external {
require(msg.sender == perpVault, "invalid caller");
payable(recipient).transfer(amount);
}

It is recommended to use the call method instead of transfer, as transfer has gas limitations and may cause issues in certain scenarios.

Vulnerability Details

The transfer function imposes a gas stipend of 2300, which can cause failures if the receiving contract has complex logic. Using call provides more flexibility and reduces the risk of transaction failures.

Impact

  • Potential Transaction Failures: If the recipient contract requires more than 2300 gas, the transfer will fail.

  • Reduced Flexibility: call allows specifying gas and handling return values, making it a safer alternative.

Tools Used

  • Manual Code Review

  • Solidity Static Analysis Tools

Recommendations

Solution: Use call Instead of transfer

Refactor the functions to use call with proper error handling.

Updated Code

function withdrawEth() external onlyOwner returns (uint256) {
uint256 balance = address(this).balance;
(bool success, ) = payable(msg.sender).call{value: balance}("");
require(success, "ETH transfer failed");
return balance;
}
function refundExecutionFee(address recipient, uint256 amount) external {
require(msg.sender == perpVault, "invalid caller");
(bool success, ) = payable(recipient).call{value: amount}("");
require(success, "Refund failed");
}

This approach ensures that the transfer does not fail due to gas limitations and allows handling failure cases properly.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.