First Flight #10: One Shot

Summary

Not handling return values of transfer, approve, and transferFrom could lead to ignored failures.

Vulnerability Details

The interface ICredToken is not handling return values for the functions transfer, approve, and transferFrom.

Impact

This could lead to ignored failures in the function _battle(uint256 _tokenId, uint256 _credBet) when transferring the Token and CredToken:

• credToken.transfer(_defender, defenderBet);

• credToken.transferFrom(msg.sender, _defender, _credBet);

• oneShotNft.transferFrom(address(this), _defender, defenderTokenId);

In the function stake(uint256 tokenId) when staking credToken:

• oneShotContract.transferFrom(msg.sender, address(this), tokenId);

• oneShotContract.transferFrom(msg.sender, address(this), tokenId);

• oneShotContract.transferFrom(address(this), msg.sender, tokenId);

In the function unstake(uint256 tokenId) external when unstaking:

• oneShotContract.transferFrom(address(this), msg.sender, tokenId);

Tools Used

Manual review

Recommendations

The interface should adhere to the ERC20 specification by ensuring return values are handled correctly or by using SafeERC20 for safer interactions. This includes methods such as:

• approve(address spender, uint256 amount) → bool

• transferFrom(address sender, address recipient, uint256 amount) → bool

• transfer(address recipient, uint256 amount) → bool