search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

Use `.call` instead of `.transfer` for increased security #6

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/mock/MockPCVDepositV2.sol#L66 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/external/WETH9.sol#L53 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/mock/MockCToken.sol#L54

Vulnerability details

Impact

The issue highlighted here will reduce gas costs and avoid hacks (https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/)

Proof of Concept

The .transfer function at the following places can be replaced with .call as the former has a hard dependency on gas costs as it forwards a fixed amount of gas: 2300. For further reference: https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Affected code snippets:

  1. https://github.com/code-423n4/2022-03-volt/blob/main/contracts/mock/MockPCVDepositV2.sol#L66
  2. https://github.com/code-423n4/2022-03-volt/blob/main/contracts/external/WETH9.sol#L53
  3. https://github.com/code-423n4/2022-03-volt/blob/main/contracts/mock/MockCToken.sol#L54

Tools Used

Manual

Recommended Mitigation Steps

Replace .transfer with .call

ElliotFriedman commented 2 years ago

None of those contracts are in scope for this audit. Closing.