LineLib.sol uses payable().transfer, which may lead to denial of service #283
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-369
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L48
Vulnerability details
Impact
The use of
payable.transfer()
is heavily frowned upon because it can lead to the locking of funds. Thetransfer()
call requires that the recipient has apayable
callback, only provides 2300 gas for its operation. This means the following cases can cause the transfer to fail:payable
callbackpayable
callback spends more than 2300 gas (which is only enough to emit something)If a user falls into one of the above categories, they’ll be unable to receive funds. Inaccessible funds means loss of funds, which is Medium severity.
Proof of Concept
https://github.com/debtdao/Line-of-Credit/blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L48
Tools Used
Manual Review
Recommended Mitigation Steps
Use
address.call{value:x}()
instead.The text was updated successfully, but these errors were encountered: