Closed code423n4 closed 2 years ago
Duplicate #18
Agree that using .transfer is now discouraged. I think a difference here as compared to other contests is that the _to address is simply an input to this function call -- so if it reverts they could try again with a EOA and then transfer manually to the contract. Lowering risk and merging with the warden's QA report #113
Lines of code
https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L80
Vulnerability details
Impact
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
Proof of Concept
Please check the previous issue.
Tools Used
Solidity Visual Developer of VSCode
Recommended Mitigation Steps
Recommend using call() instead of transfer().