To withdraw native token using transfer() will fail inevitably when :
The withdrawer smart contract does not implement a payable function.
Withdrawer's smart contract does implement a payable fallback which uses more than 2300 gas unit
Withdrawer's smart contract implements a payable fallback function which needs less than 2300 gas unit but is called through proxy that raise the call's gas usage above 2300
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L356 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L374 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L434 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L451 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L491 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L548
Vulnerability details
Impact
User can't claim their native token back
Proof of Concept
To withdraw native token using
transfer()
will fail inevitably when :https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Tools Used
Manual review
Recommended Mitigation Steps
use
call()
to send eth (native token)