For the withdraw logic, this function uses the deprecated transfer() function on an address. This transaction will fail inevitably when:
The claimer smart contract does not implement a payable function.
The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.
Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/FungibleAssetVaultForDAO.sol#L193-L206
Vulnerability details
This is similar to a previous Code4rena issue: https://github.com/code-423n4/2021-04-meebits-findings/issues/2
POC
See
@audit
:For the withdraw logic, this function uses the deprecated
transfer()
function on an address. This transaction will fail inevitably when:Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
I recommend using
call()
instead oftransfer()