c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/main/src/WildcatSanctionsEscrow.sol#L38

Vulnerability details

Impact

The protocol uses Solidity’s transfer() when transferring asset. This has some notable shortcomings when the recipient is a smart contract, which can render asset impossible to transfer. Specifically, the transfer will inevitably fail when the smart contract:

does not implement a payable fallback function, or
implements a payable fallback function which would incur more than 2300 gas units, or
implements a payable fallback function incurring less than 2300 gas units but is called through a proxy that raises the call’s gas usage above 2300.

Proof of Concept

File: src/WildcatSanctionsEscrow.sol

38:     IERC20(asset).transfer(account, amount);

Tools Used

VS Code, Manual Review

Recommended Mitigation Steps

Using call with its returned boolean checked in combination with re-entrancy guard is highly recommended.

Assessed type

ETH-Transfer

c4-pre-sort commented 1 year ago

minhquanym marked the issue as low quality report

minhquanym commented 1 year ago

Invalid

c4-judge commented 1 year ago

MarioPoneder marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-10-wildcat-findings

Use of `transfer()` Might Render asset Impossible to Withdraw #615