Use call() rather than transfer() for ETH transfers #90
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-369
satisfactory
Finding meets requirement
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/master/contracts/utils/LineLib.sol#L48
Vulnerability details
Impact
The
transfer()
function only provides a stipend for the recipient to use of 2300 gas. If the recipient uses more than that, transfers will fail. For longevity it is better to usecall()
rather thantransfer()
to ensure that future gas increases won’t affect ETH transfers.The
transfer()
function can fail for a number of reasons;Additionally, using higher than 2300 gas might be mandatory for some multi-sig wallets.
Recommended mitigation steps
The following git diff demonstrates how
call()
can be used instead oftransfer()
;Note
call()
introduces the potential for re-entrancy but future proofs ETH transfers into the future in the even that gas usage changes. Functions includingcall
should follow the Check, Effects, Interactions pattern and or Openzeppelin’s ReentrancyGuard.The text was updated successfully, but these errors were encountered: