The address.transfer function is used in sweepFees and (and swapByQuote) to send ETH to an account.
It is restricted to a low amount of GAS and might fail if GAS costs change in the future or if feeRecipient is a smart contract and its fallback function handler implements anything non-trivial.
Recommended Mitigation Steps
Consider using the lower-level .call{value: value} instead and check it's success return value.
Shadowfiend
commented
2 years ago
Handle
cmichel
Vulnerability details
The
address.transferfunction is used insweepFeesand (andswapByQuote) to send ETH to an account. It is restricted to a low amount of GAS and might fail if GAS costs change in the future or iffeeRecipientis a smart contract and its fallback function handler implements anything non-trivial.Recommended Mitigation Steps
Consider using the lower-level
.call{value: value}instead and check it's success return value.