Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

call() should be used instead of transfer() on an address payable

wttt

Summary

call() should be used instead of transfer() on an address payable.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L127

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L151

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L171

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L177

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L180

The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:

does not implement a payable function.

does implement a payable fallback which uses more than 2300 gas unit.

The msg.sender implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

Impact

eth can not be sent successfully

Tools Used

Manual review

Recommendations

using call() instead of transfer()

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.