c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L461

Vulnerability details

The use of .call{value: balance}("") does not limit the gas sent along with the Ether, potentially allowing all gas in the transaction to be used by the receiver.

// Set a specific gas limit for the call (if applicable)
    uint256 gasLimit = someGasLimit; // Define according to your contract's requirements

    (bool success, ) = payable(admin).call{value: balance, gas: gasLimit}("");
    emit Withdraw(msg.sender, success, balance);

Assessed type

Invalid Validation

c4-pre-sort commented 10 months ago

141345 marked the issue as sufficient quality report

c4-sponsor commented 10 months ago

a2rocket (sponsor) disputed

a2rocket commented 10 months ago

specifying a gaslimit is optional.

alex-ppg commented 10 months ago

The Warden specifies that a gas limit should be enforced on a native transaction yet fails to specify how this could lead to a vulnerability.

In this particular case, the native transfer is performed in an emergency function whose sole purpose is to simply perform the transfer, meaning the submission is invalid.

c4-judge commented 10 months ago

alex-ppg marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-10-nextgen-findings

Missing gas fee limit #2027

Lines of code

Vulnerability details

Assessed type