The Pull Payment Pattern - Withdraw payments when outbid
Also note that any sort of math like this _should_ be checking for overflows, which we'll talk about later.
Let's get back to the million ether page contract. Now we that we have a grasp on how to send payments let's issue refunds when a pixel is outbid.
Taking a look at our
colorPixel function, the obvious solution would be, after we've verified that the new bid price is greater than the sold price, we should .send the funds back to the previous owner.
That code might look like this:
That looks pretty clean! But wait a second. What do you think about this code? Are there any problems or potential attacks? I can think of one.
.transfer will revert all changes if sending the funds fails. So if an attacker could craft a contract which buys the pixel and then always deliberately fails when you try to send it value, the result would be that no one could ever buy that pixel again!
Every time someone outbids them, this contract would fail to instate the new higher bid, because the transfer would fail.
This problem shows up in Ethereum smart contracts all the time, so much so, that the solution has a name called the Pull-Payment pattern.
The idea applied here means that instead of sending the ether refund inline, we keep track of pending refunds internally. Then the account that receives the refund must submit a separate transaction to pull the funds out.