When making external calls using the call() opcode, it's necessary to check the return data size of the payload that's copied to memory. IF the payload is too big, the user transaction will revert due to tx becoming too expensive to execute.
Attack Scenario
Inside of Treasury.sol, when calling withdraw() function bytes memory param remains unchecked that allows the attack to happen:
Github username: @rodiontr Submission hash (on-chain): 0xa3211cf2781209aa839b66350d460529808e3f723d61d583d2e184beb8561ef7 Severity: low
Description: Description\
When making external calls using the
call()opcode, it's necessary to check the return data size of the payload that's copied to memory. IF the payload is too big, the user transaction will revert due to tx becoming too expensive to execute.Attack Scenario
Inside of
Treasury.sol, when callingwithdraw()function bytes memory param remains unchecked that allows the attack to happen:Attachments
https://github.com/hats-finance/ether-fi-0x36c3b77853dec9c4a237a692623293223d4b9bc4/blob/master/src/Treasury.sol#L21-22
Recommendations
Implement the
call()opcode using assembly.