Transferring fund back to a caller with the built-in function .transfer() can be problematic if the msg.sender is a smart contract.
The transfer() call requires that the recipient has a payable callback, only provides 2300 gas for its operation. This means the following cases can cause the transfer to fail:
The contract does not have a payable callback
The contract's payable callback spends more than 2300 gas
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/main/hardhat-vultisig/contracts/Whitelist.sol#L73
Vulnerability details
Impact
Transferring fund back to a caller with the built-in function
.transfer()
can be problematic if themsg.sender
is a smart contract.The
transfer()
call requires that the recipient has a payable callback, only provides 2300 gas for its operation. This means the following cases can cause the transfer to fail:Tools Used
Manual Review
Recommended Mitigation Steps
Use
call{value:x}()
instead.Assessed type
ETH-Transfer