sendOutTokenOrETH() calls native payable.transfer, which can be unusable for smart contract calls #291
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-369
satisfactory
Finding meets requirement
Comments
code423n4
added
2 (Med Risk)
|
dmvt marked the issue as duplicate of #14 |
|
dmvt marked the issue as partial-50 |
|
dmvt marked the issue as full credit |
|
dmvt marked the issue as satisfactory |
|
liveactionllama marked the issue as duplicate of #369 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/debtdao/Line-of-Credit//blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L34-L51
Vulnerability details
Impact
In LineLib, sendOutTokenOrETH function calls native payable.transfer. This is unsafe as transfer has hard coded gas budget and can fail when the user is a smart contract.
Whenever the user either fails to implement the payable fallback function or cumulative gas cost of the function sequence invoked on a native token transfer exceeds 2300 gas consumption limit the native tokens sent end up undelivered and the corresponding user funds return functionality will fail each time.
Proof of Concept
https://github.com/debtdao/Line-of-Credit//blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/utils/LineLib.sol#L34-L51
Tools Used
None
Recommended Mitigation Steps
Using low-level call.value(amount) with the corresponding result check or using the OpenZeppelin Address.sendValue is advised:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol#L60
The text was updated successfully, but these errors were encountered: