USE OF PAYABLE.TRANSFER() MAY LOCK USER FUNDS #398
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-369
partial-50
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/audit/code4rena-2022-11-03/contracts/utils/LineLib.sol#L48
Vulnerability details
Impact
The use of
payable.transfer()
is heavily frowned upon because it can lead to the locking of funds. Thetransfer()
call requires that the recipient has a payable callback, only provides 2300 gas for its operation.This means the following cases can cause the transfer to fail:
If a user falls into one of the above categories, they’ll be unable to receive funds. Inaccessible funds means loss of funds, which is Medium severity.
Proof of Concept
The
LineLib.sol
sendOutTokenOrETH is being use extensively from other contracts, as this is kind of a library for sending token or ETH from the contract to other receiver contract.Tools Used
Manual analysis
Recommended Mitigation Steps
Use
address.call{value:x}()
instead.The text was updated successfully, but these errors were encountered: