FairSide contest - JMukesh's results

FairSide Network

General Information

Platform: Code4rena

Start Date: 20/05/2021

Pot Size: $55,000 USDC

Total HM: 19

Participants: 8

Period: 7 days

Judge: cemozer

Total Solo HM: 11

Id: 11

League: ETH

FairSide

Findings Distribution

Researcher Performance

Rank: 7/8

Findings: 2

Award: $1,441.12

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository FairSide

Findings Information

🌟 Selected for report: JMukesh

Labels

bug

duplicate

2 (Med Risk)

Awards

1441.1236 USDC - $1,441.12

External Links

Link to GitHub issue

Handle

JMukesh

Vulnerability details

Impact

Istanbul hardfork increases the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.

In file withdrawable.sol, contract uses transfer() to send eth from contract to EOA due which eth can get stuck.

reason behind this is, after Istanbul hardfork ,any smart contract that uses transfer() or send() is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300. This forwards 2300 gas, which may not be enough if the recipient is a contract and gas costs change.

Proof of Concept

https://github.com/code-423n4/2021-05-fairside/blob/main/contracts/dependencies/Withdrawable.sol#L18

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Tools Used

manual review

Recommended Mitigation Steps

use call() to send eth

#0 - fairside-core
2021-05-30T13:31:09Z

Duplicate of #67

FairSide contest - JMukesh's results

FairSide Network

General Information

Findings Distribution

Researcher Performance

External Links

🚀 [M-04] Eth may get stuck in contract - $1,441.12

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - fairside-core2021-05-30T13:31:09Z

#0 - fairside-core
2021-05-30T13:31:09Z