Summary

The ContestManager.fundContest() function does not check the return value of the ERC20 transferFrom operation, potentially leading to silent failures of token transfers.

Vulnerability Details

In ContestManager.fundContest() (src/ContestManager.sol#25-37), the following line does not check the return value: ```solidity

token.transferFrom(msg.sender, address(pot), totalRewards)

Impact

If this transfer fails, the contract will continue to execute as if it was successful. This could lead to:

• Inconsistent contract state

• Potential loss of funds

• Incorrect contest funding

The severity is high as it directly affects the core functionality of funding contests in the protocol.

Tools Used

Slither static analysis tool

Recommendations

Implement a check on the return value of the transferFrom operation:

require(token.transferFrom(msg.sender, address(pot), totalRewards), "Token transfer failed");

Alternatively, consider using OpenZeppelin's SafeERC20 library for safer token transfers.

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

// In the contract
using

SafeERC20 for IERC20;

// In the function

token.safeTransferFrom(msg.sender, address(pot), totalRewards);