search

code-423n4 / 2022-01-openleverage-findings

0 stars 0 forks source link

transfer() may break in future ETH upgrade #228

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

gzeon

Vulnerability details

Impact

transfer() only forward 2300 gas which may break when gas cost change in a future ETH upgrade see: https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Proof of Concept

https://github.com/code-423n4/2022-01-openleverage/blob/501e8f5c7ebaf1242572712626a77a3d65bdd3ad/openleverage-contracts/contracts/OpenLevV1Lib.sol#L253

            payable(to).transfer(amount);

Recommended Mitigation Steps

use call() instead

ColaM12 commented 2 years ago

Duplicate to #75

0xleastwood commented 2 years ago

While this issue is a duplicate of #75, the warden has failed to outline its impact on the protocol so I don't think its fair to treat the issues the same way.

0xleastwood commented 2 years ago

As such, I'll keep this as 1 (Low).