Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-03-LIFINANCE-FINDINGS-ISSUES-193
HistoryMar 30, 2022 - 12:00 a.m.

Using payable.transfer functions in WithdrawFacet.sol and Libasset.sol is not usable for smart contract calls due to possible shortage of gas.

2022-03-3000:00:00
Code4rena
github.com
6
smart contract
vulnerability
gas shortage
call.value
static testing
mitigation steps
JSON

Lines of code
<https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L20-L38&gt;

Vulnerability details

Impact

Withdrawals and transferERC20 tokens are executed via transferERC20() and withdraw() functions. Since these functions calls with a fixed amount of gas, it’s not yet guaranteed to reach to the destination if the receiver is a smart contract.

#Proof of Concept
<https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L20-L38&gt;

Outlines are here : <https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/&gt;

Tools Used

Static testing

Recommended Mitigation Steps

Team can consider using call.value(amount)

The text was updated successfully, but these errors were encountered:

All reactions

JSON