call() should be used instead of transfer() on an address payable
Summary
Use call() instead of transfer() on an address payable since the use of the deprecated transfer() function for such an address will inevitably make the transaction fail
Vulnerability Detail
The transfer() function forwards a fixed amount of 2300 gas. Historically, it has often been recommended to use this functions for value transfers to guard against reentrancy attacks. However, the gas cost of EVM instructions may change significantly during hard forks which may break already deployed contract systems that make fixed assumptions about gas costs. For example. EIP 1884 broke several existing smart contracts due to a cost increase of the SLOAD instruction.
Impact
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
The claimer smart contract does not implement a payable function.
The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.
Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
Use call() instead of transfer(), but be sure to respect the CEI pattern and/or add re-entrancy guards, as several hacks already happened in the past due to this recommendation not being fully understood.
Diana
medium
call() should be used instead of transfer() on an address payable
Summary
Use
call()
instead oftransfer()
on an address payable since the use of the deprecated transfer() function for such an address will inevitably make the transaction failVulnerability Detail
The
transfer()
function forwards a fixed amount of 2300 gas. Historically, it has often been recommended to use this functions for value transfers to guard against reentrancy attacks. However, the gas cost of EVM instructions may change significantly during hard forks which may break already deployed contract systems that make fixed assumptions about gas costs. For example. EIP 1884 broke several existing smart contracts due to a cost increase of the SLOAD instruction.Impact
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
Code Snippet
https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/BondBatchAuctionV1.sol#L287
Tool used
Manual Review
Recommendation
Use
call()
instead oftransfer()
, but be sure to respect the CEI pattern and/or add re-entrancy guards, as several hacks already happened in the past due to this recommendation not being fully understood.More info on;
https://swcregistry.io/docs/SWC-134
Reference reports: https://github.com/sherlock-audit/2022-11-dodo-judging/issues/5
Duplicate of #37