Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because {invalid: even if that happens the amount will go to the same recipient same as nomally calling it again}
bareli
medium
low-level call to transfer ETH
Summary
The withdrawFees function uses a low-level call to transfer ETH, which can be risky if the recipient is a contract with a fallback function. It's generally safer to use transfer or send with a fixed gas limit.
Vulnerability Detail
(bool success,) = feeRecipient.call{value: fee}(""); if (!success) { revert WithdrawFailed();
(bool success,) = dest.call{value: value}(""); if (!success) { revert UnlockFailed(); }
Impact
which can be risky if the recipient is a contract with a fallback function. It's generally safer to use transfer or send with a fixed gas limit.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L175 https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L259
Tool used
Manual Review
Recommendation
use a gas limit.