Summary

The function createGameWithToken performs a token transfer using transferFrom() without validating its return value. This violates the ERC-20 specification and introduces a logic flaw where the function may proceed without successfully receiving the required token.

Vulnerability Details

Function:
createGameWithToken(uint256 _totalTurns, uint256 _timeoutInterval) external payable returns (uint256)

Code Affected:

This call to transferFrom() ignores its return value (bool), which may lead to false assumptions that the token transfer succeeded when it may have failed silently. According to the ERC-20 standard, a compliant implementation must return true on success not all tokens revert on failure.

Impact

A malicious or non-compliant ERC-20 token could return false without reverting.

The contract would continue execution and create a game even if the token was not successfully transferred.

This can break trust assumptions, cause game state corruption, and potentially allow users to play without paying the entry token.

If game logic later tries to use the token assuming it's held, this could lead to unexpected errors or token imbalances.

Tools Used

Manual review

slither

Recommendations

Update the transfer call to explicitly check the return value: