Pull Payment is a smart contract design pattern where recipients actively withdraw (pull) their funds from a contract rather than having funds sent (pushed) to them automatically. This pattern is considered a security best practice in Solidity development because it eliminates several attack vectors inherent in push-based payment distribution.

The problem with push payments

In a push payment model, a contract iterates through an array of recipients and sends each one their share. This introduces multiple vulnerabilities:

• Denial of Service (DoS): If any recipient is a contract that reverts on receiving ETH (via a malicious receive() or fallback() function), the entire loop fails and no one gets paid.
• Gas limit exhaustion: If the recipient array grows large enough, the loop may exceed the block gas limit, making the function permanently uncallable.
• Reentrancy: Each external call in the loop creates a potential reentrancy point that an attacker could exploit.

How pull payments work

In the pull pattern, the contract maintains an internal ledger tracking how much each recipient is owed. When funds arrive (e.g., royalty payments), the contract updates the balances but does not send any ETH. Each recipient calls a withdraw() function to claim their balance independently.

This means a malicious or broken recipient can only affect their own withdrawal—other recipients remain unaffected. OpenZeppelin provides a PullPayment base contract that implements this pattern with an escrow contract that holds funds until recipients claim them.

Application in IP royalties

Pull payments are especially important for intellectual property tokenization, where royalty splits often involve multiple parties (composers, producers, performers, publishers). The pull pattern ensures that a dispute or technical issue with one party's receiving address cannot block payments to all other stakeholders.