`ContestManager::claimCut` function lack of verification of the return value in the `transfer` external call
Description:
This part of code misses to verify the return value of the external transfer call, this is risky because not all the token transfer functions revert on fail, some tokens return false if the transfer fails.
Impact:
For example it could be an scenario where the transfer fails in the Pot.sol::claimCut function, the reward for the user is set to zero but actually the user didn't receive the funds and the transaction didn't revert.
Proof of Concept:
Claimer wants to claim their cut, so call Pot.sol::claimCut function. The rewards of the claimer are set to zero and the remainingRewards is reduced by the claimer reward amount. Then for any reason the transfer fails and as there isn't a success transfer verification the transaction doesn't revert.
User realizes he didn't receive their cut, so he tries again but in this case the transaction revert with a Pot__RewardNotFound error because now he has zero rewards.
Recommended Mitigation:
Use SafeERC20, or ensure that the transfer/transferFrom return value is checked.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.