Open hats-bug-reporter[bot] opened 8 months ago
Dublicate.
Comment: We cannot add additional gas call to these transfers since the relayer would have to carry it. It could also subject the relayer to griefing by other relayers or applications.
Provider a better fix otherwise this is a non-issue.
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x056fd0f433a0330da5622493d13587233e16bc9e71481eb32659b79458c1257f Severity: medium
Description: Description
The transfer() function forward a fixed amount of 2300 gas. Historically, it has often been recommended to use these functions for value transfers to guard against reentrancy attacks. However, the gas cost of EVM instructions may change significantly during hard forks which may break already deployed contract systems that make fixed assumptions about gas costs. For example. EIP 1884 broke several existing smart contracts due to a cost increase of the SLOAD instruction.
Attack Scenario
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
1) The claimer smart contract does not implement a payable function. 2) The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit. 3) The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300. 4) Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
Issue code location:
https://github.com/catalystdao/GeneralisedIncentives/blob/2448d77e412216283ed75d8c3cbaa1270657f7b5/src/IncentivizedMessageEscrow.sol#L218
Proof of Concept (PoC) File
In
IncentivizedMessageEscrow.sol
at L-218, the transaction would fail as described for the above mentioned four different scenarios.Revised Code File (Optional)
Use call instead of transfer
References
Check the consensys article on Stop Using Solidity's transfer() Now