Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 60/60
Findings: 1
Award: $70.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Dravee
Also found by: IllIllI, MaratCerby, UnusualTurtle, WatchPug, antonttc, berndartmueller, cccz, danb, horsefacts, hyh, pauliax, rayn, wuwe1
70.085 USDC - $70.08
CompoundHandler topUp(), EthPool _doTransferOut() and VaultReserve withdraw() call native payable.transfer
Multiple operations are handled by using a payable.transfer() call. transfer() has a gas budget limit which is unsafe because gas costs can and may change and can fail when the user is a smart contract.
CompoundHandler, VaultReserve, and EthPool have a function that calls transfer:
CompoundHandler.topUp
VaultReserve.withdraw
EthPool._doTransferOut
Using low-level call.value(amount) with the corresponding result check or using the OpenZeppelin Address.sendValue, and using nonReentrant is advised
#0 - gzeoneth
2022-05-08T21:12:37Z
Duplicate #52