SingleJoin/SingleExit contracts use transfer()
to send ether back to the caller
#131
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
duplicate
This issue or pull request already exists
Handle
Ruhum
Vulnerability details
Impact
The SingleJoin & SingleExit contracts use
transfer()
to send ether to the caller. If the caller is a smart contract the call might fail reverting the transaction if:receive()
or payablefallback()
function)Since gas costs might increase in the future, using
transfer()
might cause these contracts to potentially break sincetransfer()
would always fail.Here's a blogpost about using
transfer()
: https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/I'd rate the issue as medium since a part of the protocol would potentially be unusable.
Proof of Concept
Usage of
transfer()
:https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/EthSingleTokenJoin.sol#L37
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/EthSingleTokenJoinV2.sol#L37
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleNativeTokenExit.sol#L93
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleNativeTokenExitV2.sol#L121
Tools Used
none
Recommended Mitigation Steps
Instead, the contracts should use:
Note that this approach introduces a risk of reentrancy. But, that shouldn't be a problem for these specific contracts. Nevertheless, it might be worth adding reentrancy guards in case the contracts ever get extended.
The text was updated successfully, but these errors were encountered: