Closed code423n4 closed 2 years ago
Duplicate #18
Agree that using .transfer is now discouraged. I think a difference here as compared to other contests is that the _to address is simply an input to this function call -- so if it reverts they could try again with a EOA and then transfer manually to the contract. Lowering risk and merging with the warden's QA report #236
Lines of code
https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Basket.sol#L78-L82
Vulnerability details
This is a classic Code4rena issue:
Impact
The use of the deprecated
transfer()
function for an address will inevitably make the transaction fail when:Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
Impacted lines:
Recommended Mitigation
I recommend using
call()
instead oftransfer()