The return value of the external ```transferFrom``` call is not being properly checked.
Summary
The return value of the external transferFrom call is not being properly checked.
Vulnerability Details
Certain token contracts do not revert on failure, instead returning a false value. If one of these tokens is used within the createGameWithToken function, a deposit will not revert if the transfer fails. This creates a potential vulnerability where an attacker could call the deposit function without triggering any failure conditions, effectively allowing them to make a deposit for free.
References:
Line 131 - RockPaperScissors.sol (https://github.com/CodeHawks-Contests/2025-04-rock-paper-scissors/blob/25cf9f29c3accd96a532e416eee6198808ba5271/src/RockPaperScissors.sol#L131)
Line 180 - RockPaperScissors.sol (https://github.com/CodeHawks-Contests/2025-04-rock-paper-scissors/blob/25cf9f29c3accd96a532e416eee6198808ba5271/src/RockPaperScissors.sol#L180)
Impact
An attacker could exploit this vulnerability to bypass the token transfer mechanism, potentially leading to unauthorized deposits without actual token transfers.
Tools Used
Slither (static analysis tool)
Manual review
Recommendations
To mitigate this risk, it is recommended to either:
use require(winningToken.transferFrom(...), "Transfer failed");
Use SafeERC20 for safer token transfers, or
Explicitly check the return value of transferFrom to ensure that the transfer was successful before proceeding with further operations.
Appeal created
Missing Check on External Call Return Value
ERC20 implementation typically reverts on transfer failures
Missing Check on External Call Return Value
ERC20 implementation typically reverts on transfer failures
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.