Unsafe ERC-20 Transfer in `RockPaperScissors::joinGameWithToken` Allows Silent Token Transfer Failures
Summary
The RockPaperScissors::joinGameWithToken function uses transferFrom to transfer WinningToken tokens to the contract but does not safely handle non-compliant ERC-20 tokens. This could allow players to join token-based games without actually transferring tokens, breaking game fairness and prize distribution.
Vulnerability Details
Affected Code
The function assumes the WinningToken contract reverts on failed transfers. However, if the token follows the ERC-20 standard without reverting on failure (e.g., returns false instead), the transfer could fail silently. This occurs because transferFrom is called without checking its return value.
Impact
Players can join games without locking tokens, allowing free participation.
Games may lack valid token deposits, making prizes unbacked.
Tools Used
Recommendations
Replace transferFrom with OpenZeppelin’s SafeERC20.safeTransferFrom, which handles both reverting and non-reverting ERC-20 tokens:
Appeal created
Broken Token Game Creation
createGameWithToken and joinGameWithToken functions will revert because they attempt transferFrom without requiring the user to first approve
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.