instead of call() , transfer() is used to withdraw the ether #2
Labels
Comments
This was referenced Jun 20, 2022
This was referenced Jul 9, 2022
Closed
call() should be used instead of transfer() on an address payable
code-423n4/2022-07-ens-findings#14
Closed
This was referenced Jul 18, 2022
call() should be used instead of transfer() on an address payable
code-423n4/2022-07-ens-findings#65
Closed
This was referenced Jul 27, 2022
This was referenced Oct 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
JMukesh
Vulnerability details
Impact
function withdraw(uint amount) external {
require(amount <= ethBalance[msg.sender]);
ethBalance[msg.sender] = ethBalance[msg.sender].sub(amount);
msg.sender.transfer(amount);
emit Withdraw(msg.sender, amount);
}
To withdraw eth it uses transfer(), this trnansaction will fail inevitably when : -
The withdrwer smart contract does not implement a payable function.
Withdrawer smart contract does implement a payable fallback which uses more than 2300 gas unit
Thw withdrawer smart contract implements a payable fallback function whicn needs less than 2300 gas unit but is called through proxy that raise the call's gas usage above 2300
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Proof of Concept
https://github.com/code-423n4/2021-04-redacted/blob/main/Beebots.sol#L649
Tools Used
no tool used
Recommended Mitigation Steps
use call() to send eth
The text was updated successfully, but these errors were encountered: