MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing Approval Check in ERC20 Token Transfers

brene

Summary

The ContestManager smart contract lacks a critical check to ensure that the msg.sender has approved the transfer of tokens before the contract attempts to transfer them using the IERC20(token).transferFrom() function. This omission can lead to transaction failures, disrupting the contest funding process and negatively impacting the user experience.

Vulnerability Details

The fundContest function assumes that the sender has already granted the necessary approval for the contract to transfer tokens on their behalf.

function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
IERC20 token = pot.getToken();
uint256 totalRewards = contestToTotalRewards[address(pot)];
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
>> token.transferFrom(msg.sender, address(pot), totalRewards);

The contract does not include a pre-check to verify that the msg.sender has approved the necessary token amount before executing the transferFrom function.

Impact

Without sufficient approval, the transferFrom function will revert the transaction, preventing the contest from being funded and potentially causing delays or operational issues. Users may be confused or frustrated by repeated transaction failures without clear guidance on why the transfer is failing or how to fix it.

Tools Used

Manual Review

Recommendation

Before attempting the transferFrom call, add a check to ensure that the msg.sender has approved the necessary amount. Use the ERC20 allowance function to verify this.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.