withdraw uses .transfer (2300 gas) and reverts for contract recipients or post-EIP gas changes, risking locked festival funds
withdraw uses transfer() and can permanently strand festival ETH in a contract target
Description
withdraw sends the contract's entire ETH balance with payable(target).transfer(...) (FestivalPass.sol:148). Solidity's transfer forwards a fixed 2300 gas stipend, which is insufficient for any non-trivial receive/fallback. If the organizer's withdrawal target is a contract (a multisig, timelock, or splitter), the transfer reverts and the accumulated pass-sale ETH cannot be withdrawn.
Risk
Likelihood:
Low. Only the owner calls withdraw, and an EOA target works fine. But routing festival revenue to a multisig or timelock is a common and recommended operational practice, so a contract target is a realistic configuration.
Impact:
Low to Medium. No attacker is involved, but all proceeds from pass sales can become permanently inaccessible if the chosen withdrawal destination is a contract with a gas-consuming receiver. Because transfer reverts rather than failing gracefully, there is no fallback path and the ETH is effectively stuck until/unless an EOA target is used.
Proof of Concept
Withdrawing to a contract whose receive does any bookkeeping reverts on the 2300-gas limit.
Recommended Mitigation
Use a gas-flexible call and check the result.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.