Refund overpayments?

MetalGearSolidity · October 19, 2022, 12:12am

I am using this in a contract to refund overpayments of a payable function. fees are calculated in the line above this.

if (msg.value > fees){
            uint256 excess = msg.value - fees;
            (bool success, ) = payable(msg.sender).call{value: excess}("");
            require(success, "Failed");
        }

After an audit I got the following feedback.

Description
The use of low-level calls is error-prone. Low-level calls do not check for code existence or call
success.

Recommendation
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code
existence.

Any thought on this process for refunding the difference after a payable function.

Skyge · October 19, 2022, 12:28am

I think it is ok to use low-level calls, as long as you know what you are doing. And when you send eth to an address like this, maybe you should notice the risk of the reentrancy.

Topic		Replies	Views
What makes a lowlevel `call` return false and what opcodes fail but do not revert? Support	3	266	May 10, 2021
DApp low-level or high-level calls among contracts Support	4	868	June 23, 2021
[Discussion] Do smart contract developers have a bad habit of “over-securing”? General	12	598	March 7, 2019
A brief analysis of the new try/catch functionality in Solidity 0.6 Guides and Tutorials	3	8948	April 15, 2022
Is this function vulnerable to a reentrancy attack? Smart Contracts	10	531	August 15, 2022

Refund overpayments?

Related Topics