MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Impossibility to fund contest with tokens that do not return a bool on transfer

0xiceman

Summary

After creating a contest, the contest manager is expected to add rewards to it. However, due to the token address being wrapped into the IERC20 interface, this action will revert and make it impossible to fund contests with certain tokens that do not conform strictly to the ERC20 standard.

Vulnerability Details

To add reward to the pot manager calls the fundContestfunction:

function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
@> IERC20 token = pot.getToken();
uint256 totalRewards = contestToTotalRewards[address(pot)];
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
@> token.transferFrom(msg.sender, address(pot), totalRewards);
}

The issue arises because some tokens (e.g., USDT, BNB, OMG) do not return a boolean value on transfer operations. Wrapping these tokens in the IERC20 interface, which expects a boolean return value, will cause the transaction to revert.

Impact

The contest manager is not able to add as a reward any of the tokens that do not return boolean on transfer.

Tools Used

Manual code review

Recommendations

Use the SafeERC20 library implementation from OpenZeppelin and call safeTransfer or safeTransferFrom when handling ERC20 tokens in both Pot and ContestManager contracts.

Updates

Lead Judging Commences

equious Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.