Platform: Code4rena
Start Date: 20/10/2021
Pot Size: $30,000 ETH
Total HM: 5
Participants: 15
Period: 3 days
Judge: 0xean
Total Solo HM: 3
Id: 44
League: ETH
Rank: 8/15
Findings: 2
Award: $461.32
🌟 Selected for report: 1
🚀 Solo Findings: 0
240.9613 USDC - $240.96
elprofesor
The use of .transfer() in Swap.sol may have unintended outcomes on the eth being sent to the receiver. Eth may be irretrievable or undelivered if the msg.sender or feeRecipient is a smart contract. Funds can potentially be lost if;
The latter situation may occur in the instance of gas cost changes. The impact would mean that any contracts receiving funds would potentially be unable to retrieve funds from the swap.
This issue directly impacts the following lines of code: L257, L173, L158
Examples of similar issues ranked as medium can be found here and here, just search for 'M04'. A detailed explanation of why relying on payable().transfer() may result in unexpected loss of eth can be found here
Manual review
Re-entrancy has been accounted for in all functions that reference Solidity's transfer() . This has been done by using a re-entrancy guard, therefore, we can rely on msg.sender.call.value(amount)` or using the OpenZeppelin Address.sendValue library
🌟 Selected for report: leastwood
Also found by: elprofesor
elprofesor
Swap.sol is based on a governance model, where the contract owner is capable of actioning emergency pauses. Swap.sol uses OpenZeppelin's Ownable for managing ownership changes. This contract does not implement a transfer-accept ownership pattern. This could result in the accidental transfer of ownership of the Swap to a contract not managed by the true governor.
Implement a transfer-accept ownership pattern in Swap.sol contract.
#0 - Shadowfiend
2021-10-29T21:10:55Z
Duplicate of #78.