address.call{value:x}() should be used instead of payable.transfer()
Summary
The protocol uses Solidity’s transfer() instead of call.
Vulnerability Detail
The protocol uses Solidity’s transfer() when transferring ETH to the recipients. This has some notable shortcomings when the recipient is a smart contract, which can render ETH impossible to transfer. Specifically, the transfer will inevitably fail when the smart contract:
does not implement a payable fallback
smart contract implements a payable fallback function which uses more than 2300 gas units
smart contract implements a payable fallback function which uses less than 2300 gas units but is called through a proxy that raises the call's gas usage above 2300.
Risks of reentrancy stemming from the use of this function can be mitigated by tightly following the "Check-Effects-Interactions" pattern and using OpenZeppelin Contract’s ReentrancyGuard contract.
Jaraxxus
medium
address.call{value:x}() should be used instead of payable.transfer()
Summary
The protocol uses Solidity’s transfer() instead of call.
Vulnerability Detail
The protocol uses Solidity’s transfer() when transferring ETH to the recipients. This has some notable shortcomings when the recipient is a smart contract, which can render ETH impossible to transfer. Specifically, the transfer will inevitably fail when the smart contract:
Risks of reentrancy stemming from the use of this function can be mitigated by tightly following the "Check-Effects-Interactions" pattern and using OpenZeppelin Contract’s ReentrancyGuard contract.
Impact
Stated above.
Code Snippet
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L282-L285
Tool used
Manual Review
Recommendation
Using low-level call.value(amount) with the corresponding result check or using the OpenZeppelin Address.sendValue is advised
Duplicate of #123