0

I am trying to comprehend the following snippet of payment code:

        if (collectedFees >= minFeePayout) {
            if (!owner.send(collectedFees)) {
                // Potentially sending money to a contract that
                // has a fallback function.  So instead, try
                // tranferring the funds with the call api.
                if (owner.call.gas(msg.gas).value(collectedFees)()) {
                    collectedFees = 0;
                }

The code fragment is from this contract: https://etherscan.io/address/0x9f1d916a456b96146e9f0dbbd0e107a1f389a061#code.

So my question is:

  1. why this contract uses one send and one call?

  2. Is it safe? I am using some security tools to check this contract and somehow this part is flagged as "vulnerable". I just don't get it.

lllllllllllll
  • 257
  • 1
  • 10

1 Answers1

1

The main difference between send and call in this context is that send does not forward any extra gas (only 2300) but with call you can specify how much gas to forward.

If a send operation fails (runs out of gas) it returns false. So in the code if send fails it will next try sending the collectedFees by a call by giving all remaining gas (msg.gas) - this way it has higher chance of succeeding. Read more at send VS call - differences and when to use and when not to use

Giving the receiving contract (if it is a contract) all remaining gas opens up various vulnerabilities - most notably re-entrancy attacks. If the receiving contract has enough gas it can for example call the calling contract again and in some cases gain an advantage. You can read more about re-entrancy attacks for example here: https://medium.com/@gus_tavo_guim/reentrancy-attack-on-smart-contracts-how-to-identify-the-exploitable-and-an-example-of-an-attack-4470a2d8dfe4

Lauri Peltonen
  • 29,391
  • 3
  • 20
  • 57