code-423n4 / 2021-04-meebits-findings

0 stars 0 forks source link

instead of call() , transfer() is used to withdraw the ether #2

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

JMukesh

Vulnerability details

Impact

function withdraw(uint amount) external { require(amount <= ethBalance[msg.sender]); ethBalance[msg.sender] = ethBalance[msg.sender].sub(amount); msg.sender.transfer(amount); emit Withdraw(msg.sender, amount); }

To withdraw eth it uses transfer(), this trnansaction will fail inevitably when : -

  1. The withdrwer smart contract does not implement a payable function.

  2. Withdrawer smart contract does implement a payable fallback which uses more than 2300 gas unit

  3. Thw withdrawer smart contract implements a payable fallback function whicn needs less than 2300 gas unit but is called through proxy that raise the call's gas usage above 2300

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Proof of Concept

https://github.com/code-423n4/2021-04-redacted/blob/main/Beebots.sol#L649

Tools Used

no tool used

Recommended Mitigation Steps

use call() to send eth