The linked statements perform low-level native asset transfers via the transfer function exposed by the address payable data type.
Impact:
As new EIPs such as EIP-2930 are introduced to the blockchain, gas costs can change and the transfer instruction of Solidity specifies a fixed gas stipend that is prone to failure should such changes be integrated to the blockchain the contract is deployed in. A prime example of this behaviour are legacy versions of Gnosis were susceptible to this issue and would cause native transfers to fail if sent to a new address.
Example:
payable(master).transfer(
msg.value
);
Recommendation:
We advise alternative ways of transferring assets to be utilized instead, such as OpenZeppelin's Address.sol library and in particular the sendValue method exposed by it. If re-entrancies are desired to be prevented based on gas costs, we instead advise a mechanism to be put in place that either credits an account with a native balance they can withdraw at a secondary transaction or that performs the native asset transfers at the end of the top-level transaction's execution.
vm06007
commented
11 months ago
WLG-02S: Deprecated Native Asset Transfers
Description:
The linked statements perform low-level native asset transfers via the
transferfunction exposed by theaddress payabledata type.Impact:
As new EIPs such as EIP-2930 are introduced to the blockchain, gas costs can change and the
transferinstruction of Solidity specifies a fixed gas stipend that is prone to failure should such changes be integrated to the blockchain the contract is deployed in. A prime example of this behaviour are legacy versions of Gnosis were susceptible to this issue and would cause native transfers to fail if sent to a new address.Example:
Recommendation:
We advise alternative ways of transferring assets to be utilized instead, such as OpenZeppelin's
Address.sollibrary and in particular thesendValuemethod exposed by it. If re-entrancies are desired to be prevented based on gas costs, we instead advise a mechanism to be put in place that either credits an account with a native balance they can withdraw at a secondary transaction or that performs the native asset transfers at the end of the top-level transaction's execution.