Push Payment Explained in Detail
Push payment sends ETH or tokens to a recipient during another operation. For example, an auction may try to refund the previous bidder inside the new bid() call.
This is simple, but it gives recipient code a chance to revert, consume gas, or reenter.
Smart contract example
(bool ok, ) = recipient.call{value: amount}("");
require(ok, "payment failed");
If recipient is untrusted, this can block the parent operation.
Push Payment in Auditing
Push payments are a common source of reentrancy and denial of service. One malicious recipient can sometimes freeze bidding, distribution, liquidation, or settlement.
Auditors ask whether a pull payment design would be safer.
Red flags in code
-
Refunds are sent inline to untrusted addresses.
-
Batch payouts require every recipient to accept payment.
-
State updates happen after the payment call.
-
Low-level call results are ignored.
-
transferorsendis assumed to be universally safe.
How to test or review it
-
Test recipients that revert, consume gas, and reenter.
-
Check whether one failed payment blocks unrelated users.
-
Review state ordering with checks-effects-interactions.
-
Test batch payout limits.
-
Consider converting risky refunds into pull payments.
Keep learning this topic
Pull Payment
Pull payment is a payout pattern where a contract records owed funds and lets recipients withdraw later.
External Call
An external call is an interaction where one smart contract calls another address, creating a trust boundary and possible control-flow risk.
Denial of Service
Denial of service is a bug or attack that makes a contract function or protocol path unusable.
Practice this in real audit scenarios
Definitions help, but auditors need reps. SCH turns concepts like Push Payment into exploit labs, code review habits, and report-writing practice.
Start the free trial or see the full smart contract auditing course.