Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

`transferFrom` Return Value Is Ignored in `createGameWithToken()` and `joinGameWithToken()`

0xshield

Description:

In createGameWithToken() and joinGameWithToken(), the return value of the transferFrom() function is ignored. Although most ERC-20 tokens revert on failure, ignoring the returned bool may cause the function to proceed even if the token transfer fails silently (in the case of non-standard ERC-20 implementations).
This breaks the checks-effects-interactions pattern and may leave the contract in an inconsistent state or open to user error.

Recommended Mitigation:

Always check the return value of transferFrom():

- winningToken.transferFrom(msg.sender, address(this), 1);
+ require(winningToken.transferFrom(msg.sender, address(this), 1), "Token transfer failed");
- winningToken.transferFrom(msg.sender, address(this), 1);
+ require(winningToken.transferFrom(msg.sender, address(this), 1), "Token transfer failed");
Updates

Appeal created

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Broken Token Game Creation

createGameWithToken and joinGameWithToken functions will revert because they attempt transferFrom without requiring the user to first approve

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.