The use of the deprecated transfer() function for an address will cause the transaction to fail when:
The claimer contract does not implement a payable function.
The claimer contract does implement a payable fallback which uses more than 2300 gas.
The claimer contract implements a payable fallback function that needs less than 2300 gas but is called through proxy, raising the call’s gas usage above 2300.
nivasan1
commented
2 years ago
Lines of code
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/WETH.sol#L31
Vulnerability details
Impact
The use of the deprecated transfer() function for an address will cause the transaction to fail when: The claimer contract does not implement a payable function. The claimer contract does implement a payable fallback which uses more than 2300 gas. The claimer contract implements a payable fallback function that needs less than 2300 gas but is called through proxy, raising the call’s gas usage above 2300.
Proof of Concept
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/WETH.sol#L31
Tools Used
Manual Review
Recommended Mitigation Steps
Use call() instead of transfer()