Summary

The ContestManager and Pot smart contracts have identified a severe vulnerability involving unchecked token transfers. This issue affects both the funding of contests and the distribution of rewards, potentially leading to significant fund loss and inconsistent contract states.

Vulnerability Details

1. ContestManager Contract:

   function fundContest(uint256 index) public onlyOwner {

   // ... [previous code omitted for brevity]

   token.transferFrom(msg.sender, address(pot), totalRewards);

   }

2. Pot Contract:

   function _transferReward(address player, uint256 reward) internal {

   i_token.transfer(player, reward);

   }

In both cases, the return values of transferFrom and transfer are not checked, which can lead to silent failures.

Impact

• Financial Loss: Funds may be lost due to failed transfers that are not detected.

• Inconsistent State: Contract states may not reflect actual token balances.

• Systemic Risk: The entire contest lifecycle, from funding to reward distribution, is affected.

• Trust Issues: The reliability and integrity of the entire system are compromised.

Tools Used

Manual code review

AI for report

Recommendations

1. Implement Return Value Checks:

   bool success = token.transferFrom(msg.sender, address(pot), totalRewards);

   require(success, "Token transfer failed");

2. Use SafeERC20:

   import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

   ​

   contract ContestManager is Ownable {

   using SafeERC20 for IERC20;

   // ...

   token.safeTransferFrom(msg.sender, address(pot), totalRewards);

   // ...

   }

3. Consider Reentrancy Guards: Implement reentrancy protection, especially for functions involving token transfers.