MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

The `transferFrom` in `ContestManager::fundConstest` is unchecked

phylax

Summary

The ContestManager::fundContest function transfers tokens through the transferFrom function which returns a bool, but there is no check if the function fails.

Impact

There a several tokens that don't revert if the transferFrom returns false. The owner of the contract who created the contest would believe the pot would be funded without the any tokens being sent to the pot. Would classify vulnerability as low since it's only the owner of the contract funding the contract.

Tools Used

Manual code inspection

Recommendations

  1. Could use the SafeERC20 library.

  2. Or add a custom error to the ContestManager contract and add these lines to the ConstestManager::fundContest function:

+ error ContestManager__TransferFailed();
function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
IERC20 token = pot.getToken();
uint256 totalRewards = contestToTotalRewards[address(pot)];
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
- token.transferFrom(msg.sender, address(pot), totalRewards);
+ bool success = token.transferFrom(msg.sender, address(pot), totalRewards);
+ if(!success) {
+ revert ContestManager__TransferFailed();
+ }
}
Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.