The ContestManager.fundContest() function does not check the return value of the ERC20 transferFrom operation, potentially leading to silent failures of token transfers.
In ContestManager.fundContest() (src/ContestManager.sol#25-37), the following line does not check the return value: ```solidity
token.transferFrom(msg.sender, address(pot), totalRewards)
If this transfer fails, the contract will continue to execute as if it was successful. This could lead to:
Inconsistent contract state
Potential loss of funds
Incorrect contest funding
The severity is high as it directly affects the core functionality of funding contests in the protocol.
Slither static analysis tool
Implement a check on the return value of the transferFrom operation:
require(token.transferFrom(msg.sender, address(pot), totalRewards), "Token transfer failed");
Alternatively, consider using OpenZeppelin's SafeERC20 library for safer token transfers.
import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
// In the contract
using
SafeERC20 for IERC20;
// In the function
token.safeTransferFrom(msg.sender, address(pot), totalRewards);
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.