A recommendation here is to stop using transfer() in the codes and switch to using call() instead. #238
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-369
partial-50
Lines of code
https://github.com/code-423n4/2022-11-debtdao/blob/update-readme/contracts/utils/LineLib.sol#L48
Vulnerability details
Impact
Transfer() has typically been recommended by the security community because it helps guard against reentrancy attacks. Any smart contract that uses transfer() or send() is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300. It works under the assumption that gas costs wouldn’t change, but that assumption turned out to be incorrect since the Istanbul hard fork. As a result, the transfer() functions may fail frequently due to limited gas.
Proof of Concept
https://github.com/code-423n4/2022-11-debtdao/blob/update-readme/contracts/utils/LineLib.sol#L48
Tools Used
Recommended Mitigation Steps
Now it is recommended to stop using transfer() and switch to using call() instead.
The text was updated successfully, but these errors were encountered: