search

code-423n4 / 2022-06-yieldy-findings

0 stars 0 forks source link

instead of call() , transfer() is used to withdraw the ether #180

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-yieldy/blob/34774d3f5e9275978621fd20af4fe466d195a88b/src/contracts/Staking.sol#L471

Vulnerability details

Impact

To withdraw eth it uses transfer(), this trnansaction will fail inevitably when : -

The withdrwer smart contract does not implement a payable function.

Withdrawer smart contract does implement a payable fallback which uses more than 2300 gas unit

Thw withdrawer smart contract implements a payable fallback function whicn needs less than 2300 gas unit but is called through proxy that raise the call's gas usage above 2300

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

proof of concept

           IYieldy(YIELDY_TOKEN).transfer(
                    _recipient,
                    IYieldy(YIELDY_TOKEN).tokenBalanceForCredits(info.credits)

Recommended Mitigation Steps

use call instead of transfer

JasoonS commented 1 year ago

That transfer function isn't for ETH but an erc20 token. Invalid