Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe usage of transfer() instead of safeTransfer() can lead to failed withdrawals on zkSync ##

0xtheblackpanther

Description

The Treasury contract uses transfer() for token withdrawals:

function withdraw(address token, uint256 amount, address recipient) external {
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount); // @audit - uses transfer()
}

On zkSync, transfer() has a fixed gas stipend of 2300 gas. For tokens that require more gas for transfers (e.g., tokens that have hooks or complex logic), the withdrawal will fail, potentially locking funds in the Treasury.

This is particularly dangerous because the state changes (_balances, _totalValue) happen before the transfer. If transfer fails, state is corrupted but function doesn't revert. Some tokens may become permanently locked in the contract

Recommendation

Use OpenZeppelin's SafeERC20 library and safeTransfer():

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
contract Treasury {
using SafeERC20 for IERC20;
function withdraw(address token, uint256 amount, address recipient) external {
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).safeTransfer(recipient, amount);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[INVALID] SafeERC20 not used

LightChaser Low-60

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.