MyCut

First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

unchecked-transfer

Summary

The ContestManager.fundContest() function does not check the return value of the ERC20 transferFrom operation, potentially leading to silent failures of token transfers.

Vulnerability Details

In ContestManager.fundContest() (src/ContestManager.sol#25-37), the following line does not check the return value: ```solidity

token.transferFrom(msg.sender, address(pot), totalRewards)

Impact

If this transfer fails, the contract will continue to execute as if it was successful. This could lead to:

  • Inconsistent contract state

  • Potential loss of funds

  • Incorrect contest funding

The severity is high as it directly affects the core functionality of funding contests in the protocol.

Tools Used

Slither static analysis tool

Recommendations

Implement a check on the return value of the transferFrom operation:

require(token.transferFrom(msg.sender, address(pot), totalRewards), "Token transfer failed");

Alternatively, consider using OpenZeppelin's SafeERC20 library for safer token transfers.

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

// In the contract
using

SafeERC20 for IERC20;

// In the function

token.safeTransferFrom(msg.sender, address(pot), totalRewards);

Updates

Lead Judging Commences

equious Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.