MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unchecked External Call in `Pot::_transferReward` function.

mishraji874

Description: The Pot::_transferReward function uses i_token.transfer, which is an external call that can fail if the token contract does not adhere to the ERC20 standard. This can lead to unexpected behavior if the transfer fails and is not handled properly.

Impact: If the token transfer fails, it could cause the contract to behave unexpectedly, potentially locking funds or causing incorrect state updates. This could result in users not receiving their rewards or the contract being unable to distribute remaining funds correctly.

Proof of Concept: The current implementation of the _transferReward function does not check the success of the transfer call:

function _transferReward(address player, uint256 reward) internal {
i_token.transfer(player, reward);
}

If i_token is a non-standard ERC20 token that returns false instead of reverting, the transfer might silently fail, leaving remainingRewards inconsistent with actual token balances.

Recommended Mitigation: Use OpenZeppelin's SafeERC20 library, which provides a safeTransfer function that handles the return value correctly and reverts on failure. Modify the contract as follows:

import {SafeERC20} from "lib/openzeppelin-contracts/contracts/token/ERC20/utils/SafeERC20.sol";
using SafeERC20 for IERC20;
function _transferReward(address player, uint256 reward) internal {
i_token.safeTransfer(player, reward);
}
Updates

Lead Judging Commences

equious Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.