Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Insecure Ether Transfer: Rigid Gas Stipend and Potential Funds Lockout

jufel

Description: The withdraw function uses Solidity’s built-in .transfer to send the entire contract balance to an arbitrary target address:

function withdraw(address target) external onlyOwner {
payable(target).transfer(address(this).balance);
}

Because .transfer forwards a fixed 2300 gas stipend to the recipient’s fallback or receive function, it will revert if the recipient is a contract whose fallback requires more than 2300 gas (for example, logging, complex logic, or even safe-math checks). This can accidentally lock funds in the contract if the owner ever invokes withdraw to a receiver with a “heavy” fallback.

Impact:

  • Denial of Service / Funds Lockout: An otherwise benign contract used as target may consume > 2300 gas in its fallback and cause withdraw to revert, preventing the owner from ever draining the balance.

  • Usability Constraint: Restricts the set of addresses you can safely withdraw to, forcing manual gas stipend auditing on every potential target.

Mitigation:

  • Use low level .call:

function withdraw(address payable target) external onlyOwner {
uint256 bal = address(this).balance;
(bool ok, ) = target.call{ value: bal }("");
require(ok, "ETH transfer failed");
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.