MyCut

Summary

The fundContest function in the ContestManager contract is responsible for transferring totalRewards from the msg.sender to the Pot contract. However, the function fails to verify if the msg.sender has provided sufficient allowance for the ContestManager contract to perform this transfer. This oversight could result in transaction reversion if the allowance is insufficient, causing potential disruptions and confusion.

Vulnerability Details

In the fundContest function, the code attempts to transfer totalRewards from the msg.sender to the Pot contract using the IERC20 token's transferFrom method. This method requires that the msg.sender has previously approved the ContestManager contract to spend at least totalRewards on their behalf.

The current implementation checks only if msg.sender has sufficient balance to cover the totalRewards, but it does not check whether the required allowance has been set. If the allowance is less than totalRewards, the transferFrom call will fail, causing the entire transaction to revert.

This can lead to issues where users or the owner might not understand why the transaction failed, particularly if they are unaware of the need to set an allowance.

Impact

• Transaction Failure: If the allowance is insufficient, the transferFrom call will fail, causing the entire transaction to revert. This can lead to confusion and inconvenience for users.

• Usability Concerns: Users or the contract owner may be unaware that they need to set an allowance, leading to unexpected transaction failures.

Tools Used

Manual Review

Recommendations

To prevent this issue, the fundContest function should include a check to verify that msg.sender has provided sufficient allowance to the ContestManager contract before attempting the transferFrom operation.

Updated code: