Summary

This finding report identifies unsafe usage of ERC20 operations in the smart contracts implemented within the ContestManager.sol and Pot.sol files. The identified issue relates to direct calls to ERC20 functions, which may exhibit unexpected behaviors such as non-meaningful return values. Utilizing OpenZeppelin's SafeERC20 library is recommended to mitigate these risks and ensure safer token transfers.

Vulnerability Details

Low Issues (L-1): Unsafe Direct ERC20 Function Calls Compromise Transfer Reliability

• Location in Code:

  • src/ContestManager.sol:37

    token.transferFrom(msg.sender, address(pot), totalRewards);

    ​

  • src/Pot.sol:55

    i_token.transfer(msg.sender, managerCut);

    ​

  • src/Pot.sol:65

    i_token.transfer(player, reward);

    ​

    \

Impact

ERC20 functions such as transfer and transferFrom do not consistently return meaningful results across all ERC20 token implementations. By directly calling these methods, the contract may fail to detect unsuccessful transfers, potentially causing unintended behaviors and putting funds at risk. Using OpenZeppelin's SafeERC20 library ensures that transfers are correctly checked for success, adding an extra layer of security and reliability to token operations.

Tools Used

• Manual Code Review

Recommendations

• Use SafeERC20 Library: Replace direct calls to ERC20 functions with SafeERC20's safe methods provided by OpenZeppelin. This library ensures that each call to transfer, transferFrom, and similar functions is successful, and reverts if not.

Example of implementation using SafeERC20:

By utilizing the SafeERC20 library, the contracts will handle token transfers more securely, preventing potential issues caused by unexpected return values.