Learn about notable Web3 vulnerabilities found by our experts ⬇️
🟣 MEDIUM — Using transfer() when transferring ETH.
The transfer() and send() functions usually have a fixed amount of gas. Historically, it has often been recommended to use these functions for value transfers to guard against reentrancy attacks.
Check the reward distribution example below:
However, the gas cost of EVM instructions may change significantly during hard forks which may break already deployed contract systems that make fixed assumptions about gas costs. 🤔
⚠️ The use of the deprecated transfer() function when transfer ETH will inevitably make the transaction fail when:
- The claimer smart contract does not implement a payable function.
- The claimer smart contract does implement a payable fallback which uses more than the fixed amount of gas.
- The claimer smart contract implements a payable fallback function that needs less than the fixed amount of gas, but is called through a proxy, raising the call’s gas above the fixed amount of gas.
The fix is simple:
Use call() instead of transfer().
Now the transaction cannot fail due to improper gas calculations!
We hope you found Part 4 useful for your safety quest 🔥
Part 5 of Audita’s Vulnerability Highlights will be out soon.
Follow and ReX @AuditaSecurity đź‘€
Stay Safu!
Audita’s Team
