Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $75,000 USDC
Total HM: 27
Participants: 144
Period: 7 days
Judge: gzeon
Total Solo HM: 13
Id: 170
League: ETH
Rank: 116/144
Findings: 1
Award: $0.00
π Selected for report: 0
π Solo Findings: 0
π Selected for report: Rolezn
Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum
0 USDC - $0.00
transfer uses a fixed amount of gas, which can result in revert if the recipient is a contract. For instance when:
The PA1D._payoutEth function use transfer instead of call to distribute royalties. Which could lead to DoS for all royalties recipients since only one misbehaving address is needed for the entire function call to revert.
In PA1D._payoutEth royalties are distributed to the recipients addresses set by the owner in addresses using transfer. If only one of these addresses is a contract which for the any reason need more than 2300 gas to execute the transfer or doesn't implement a receive function, the call to PA1D._payoutEth will revert and no one will be able to receive his royalties.
addresses[i].transfer(sending);
Blog post about this from consensys diligence (2019): https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Manual review.
call should be used instead of transfer, while making sure to follow the "Checks-Effects-Interactions" pattern to prevent potential reentrancy. A reentrancy lock could also be used as additionnal safety, but would increase the gas usage.
Change this :
addresses[i].transfer(sending);
to this :
(bool success, ) = addresses[i].call{value: sending}(""); require(success, "Transfer Failed");
#0 - gzeoneth
2022-10-30T15:53:00Z
#1 - gzeoneth
2022-11-21T07:29:11Z
As QA report