In the withdraw functions transfer() is used for native ETH withdrawal. The transfer function is not recommended for sending native token due to its, 2300 gas unit limit. Instead, call can be used to circumvent the gas limit.
function withdrawFunds(address paymentToken) external onlyOwner {
if (paymentToken == address(0)) {
// @audit-issue : .transfer can be revert on 2300 gas .
payable(msg.sender).transfer(address(this).balance);
} else {
IERC20(paymentToken).transfer(msg.sender, IERC20(paymentToken).balanceOf(address(this)));
}
}
Recommendation
Use call instead of transfer for sending native token.
Mahi_Vasisth
Medium
USE CALL INSTEAD OF TRANSFER
Summary
In the withdraw functions
transfer()is used for native ETH withdrawal. The transfer function is not recommended for sending native token due to its, 2300 gas unit limit. Instead, call can be used to circumvent the gas limit.Code Snippet
https://github.com/sherlock-audit/2024-10-ethos-network/blob/db37b9dc2b792e245eb683d8a956bcb7ef2f1a27/ethos/packages/contracts/contracts/EthosReview.sol#L451
Recommendation
Use call instead of transfer for sending native token.