Rock Paper Scissors

🚨 Finding: Unchecked Return Value in ERC-20 Token Transfer

📊 Summary

The createGameWithToken() function in RockPaperScissors.sol executes an ERC-20 transferFrom call without checking the return value. This can lead to inconsistent game state if the token transfer fails silently, particularly if the token does not revert on failure and returns false instead.

🔍 Vulnerable Code

File: RockPaperScissors.sol
Function: createGameWithToken()
Line: ~131

In the current implementation, the return value of transferFrom() is not verified. According to the ERC-20 specification, transferFrom should return true on success and false on failure. Some tokens (e.g., USDT) do not revert on failure, so silent failure may go unnoticed.

📈 Impact

• A player may be allowed to enter a token-based game without successfully transferring a token.

• This can lead to locked games where playerB is set but no actual stake was transferred.

• It breaks game fairness and can be exploited if the token fails to transfer due to lack of allowance or balance.

🔎 Recommendation

Always check the return value of transferFrom() to ensure token transfer was successful:

This ensures the function halts execution on transfer failure, preserving protocol integrity and fairness.

📄 Conclusion

Failing to check the return value of ERC-20 token operations introduces logic vulnerabilities that can corrupt game state or be used to bypass requirements. While the impact here is moderate, the fix is simple and should be implemented to conform to secure token interaction practices.

📄 Tool Used

Solidity (Wake)
V1.18.0