call() should be used instead of transfer() on an address payable

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L232

Vulnerability details

Impact

The use of the transfer() function for sending ETH to an address will inevitably make the transaction fail when:

• The claimer smart contract does not implement a payable function.
• The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
• The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

Proof of Concept

Using the transfer() function for sending ETH can fail if the receiving contract's payable function requires more than 2300 gas units or is called through a proxy, raising the gas usage above 2300. This limitation can cause transaction failures, especially with complex contracts or multisig wallets.

Tools Used

Manual review

Recommended Mitigation Steps

use .call instead of transfer and don't forget to check the result.

Assessed type

ETH-Transfer

[c4-pre-sort]

141345 marked the issue as duplicate of #79

[c4-pre-sort]

141345 marked the issue as low quality report

[c4-pre-sort]

141345 marked the issue as remove high or low quality report

[c4-judge]

gzeon-c4 marked the issue as unsatisfactory: Out of scope