Use call instead of transfe.

Github username: @hunter-w3b Twitter username: hunter_w3b Submission hash (on-chain): 0x249cf5faaaf682d96f736ef01511defb25179f1876f87ed932b8b46fef040dce Severity: medium

Description: Description\ In the forwardETH functions, transfer() is used for native ETH . The transfer() and send() functions forward a fixed amount of 2300 gas. Historically, it has often been recommended to use these functions for value transfers to guard against reentrancy attacks but this function is only called by Master. However, the gas cost of EVM instructions may change significantly during hard forks which may break already deployed contract systems that make fixed assumptions about gas costs. For example. EIP 1884 broke several existing smart contracts due to a cost increase of the SLOAD instruction.

impact\ The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:

The claimer smart contract does not implement a payable function.
The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.
Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

PendlePowerFarmController.sol::forwardETH

    function forwardETH(
        address _to,
        uint256 _amount
    )
        external
        onlyMaster
    {
        payable(_to).transfer(
            _amount
        );
    }

Recommended Mitigation\ Use call() instead of transfer().

(bool result, ) = payable(_to).call{value: _amount}("");
 require(result, "Failed to send Ether");

hats-finance / Wise-Lending-0xa2ca45d6e249641e595d50d1d9c69c9e3cd22573

Use call instead of transfe. #32