KenzoAgada
commented
2 years ago User linked ERC20 transfers, not ETH transfers which the issue refers to.
Closed code423n4 closed 2 years ago
KenzoAgada
commented
2 years ago User linked ERC20 transfers, not ETH transfers which the issue refers to.
sourabhmarathe
commented
2 years ago We disagree that this is an issue as the transfers are called on ERC20 and not ETH, as the comment above notes.
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/92cbb0724e594ce025d6b6ed050d3548a38c264b/marketplace/MarketPlace.sol#L142 https://github.com/code-423n4/2022-06-illuminate/blob/92cbb0724e594ce025d6b6ed050d3548a38c264b/marketplace/MarketPlace.sol#L157
Vulnerability details
CALL() SHOULD BE USED INSTEAD OF TRANSFER() ON AN ADDRESS PAYABLE
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
-The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit. -The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call’s gas usage above 2300 and using higher than 2300 gas might be mandatory for some multisig wallets. -The claimer smart contract does not implement a payable function.