Closed c4-bot-10 closed 8 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #56
alcueca marked the issue as selected for report
alcueca marked the issue as satisfactory
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/FeeSplitter.sol#L80-L87 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/FeeSplitter.sol#L103-L117
Vulnerability details
Impact
The use of
transfer()
is deprecated as the transaction may fail in numerous scenarios:For instance, most multisignature wallet overheads are at least 2300 gas units.
The rationale behind this deprecation is that using a fixed amount of gas for an action shows poor resilience for the future of the ecosystem, considering the changes in the EVM and smart contract behaviors.
In the codebase, you cannot transfer fees, and the fees are linked to the holders who held Curve tokens at the time of the fees. If the fee receiver falls into the above scenarios, the fees will be lost.
Recommended Mitigation Steps
Use call() instead of transfer() in the
claimFees
function of theFeeSplitter.sol
contract.Use call() instead of transfer() in the
batchClaiming
function of theFeeSplitter.sol
contract.Assessed type
Payable