Using `payable.transfer` functions in `WithdrawFacet.sol` and `Libasset.sol` is not usable for smart contract calls due to possible shortage of gas. #193
Withdrawals and transferERC20 tokens are executed via transferERC20() and withdraw() functions. Since these functions calls with a fixed amount of gas, it's not yet guaranteed to reach to the destination if the receiver is a smart contract.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Libraries/LibAsset.sol#L79-L85 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L20-L38
Vulnerability details
Impact
Withdrawals and transferERC20 tokens are executed via
transferERC20()
andwithdraw()
functions. Since these functions calls with a fixed amount of gas, it's not yet guaranteed to reach to the destination if the receiver is a smart contract.Proof of Concept
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Libraries/LibAsset.sol#L79-L85 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L20-L38
Outlines are here : https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Tools Used
Static testing
Recommended Mitigation Steps
Team can consider using
call.value(amount)