search

Lodestar-Finance / lodestar-protocol

Houses the code for the Lodestar Finance DeFi protocol.
BSD 3-Clause "New" or "Revised" License
10 stars 7 forks source link

call() should be used instead of transfer() #2

Open rajatbeladiya opened 1 year ago

rajatbeladiya commented 1 year ago

Affected Smart Contracts:

cEther.sol Maximillion.sol#43

Severity:

Medium

Description:

The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:

  1. The claimer smart contract does not implement a payable function.
  2. The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
  3. The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300. Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

Affected Links

https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/CEther.sol#L167

https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Maximillion.sol#L43

Recommendation:

Use call() instead of transfer()

rotcivegaf commented 1 year ago

Don't specified Attack scenario

rajatbeladiya commented 1 year ago

@rotcivegaf it's essential to understand that not every issue in a smart contract necessarily has an exploitable attack scenario. In this particular case, the bug I submitted causes the smart contract's functionality to cease working as intended, which is a significant problem on its own. let the committee decide.