Potential locked tokens/funds
Summary
The contract uses winningToken.transferFrom(msg.sender, address(this), 1) for transfering token from the winner to the contract. However, the use of transferFrom is discouraged due to its lack of safety checks and inconsistencies in some token implementations.
Vulnerability Details
Non-safe transfer: transferFrom does not check whether the receiver (the contract) can actually handle NFTs. If the receiving contract lacks onERC721Received, the token can be forever locked or result in an error on transfer.
Lack of interface compatibility check: safeTransferFrom verifies that the recipient is capable of handling tokens by checking for the IERC721Receiver interface.
Impact: Medium
Tokens could be permanently stuck in the contract if it's not properly handling incoming ERC-721s.
Unexpected reverts or silent failures, depending on how the ERC-721 contract is implemented.
Tools Used
Manual review
Recommendations
Replace the unsafe transferFrom with safeTransferFrom, and ensure your contract implements IERC721Receiver if it's meant to hold tokens
Appeal created
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.