Some user are not able to withdraw variableToPendingWithdrawalAmount
Summary
withdrawAmountVariablePending will fail in the worst case
Vulnerability Detail
In function withdrawAmountVariablePending, it use transfer to transfer variableToPendingWithdrawalAmount[msg.sender] to msg.sender
function withdrawAmountVariablePending() public {
uint256 amount = variableToPendingWithdrawalAmount[msg.sender];
variableToPendingWithdrawalAmount[msg.sender] = 0;
payable(msg.sender).transfer(amount);
}
But the problem is from solidity docs when using function transfer, calling fallback and receive function of receiver is limited to 2300 gas. Which mean if receiver is a contract that have receive() or fallback() function that consume more than 2300 gas, it will revert, lead to user are not able to claim withdraw request.
Impact
User are not able to withdrawAmountVariablePending in the worst case
tmotfl
High
Some user are not able to withdraw
variableToPendingWithdrawalAmount
Summary
withdrawAmountVariablePending
will fail in the worst caseVulnerability Detail
In function
withdrawAmountVariablePending
, it usetransfer
to transfervariableToPendingWithdrawalAmount[msg.sender]
tomsg.sender
But the problem is from solidity docs when using function transfer, calling fallback and receive function of receiver is limited to 2300 gas. Which mean if receiver is a contract that have
receive()
orfallback()
function that consume more than 2300 gas, it will revert, lead to user are not able to claim withdraw request.Impact
User are not able to withdrawAmountVariablePending in the worst case
Code Snippet
https://github.com/sherlock-audit/2024-08-saffron-finance/blob/38dd9c8436db341c331f1b14545770c1766fc0ee/lido-fiv/contracts/LidoVault.sol#L656
Tool used
Manual Review
Recommendation
Using
call()
instead oftransfer()