Missing transferFrom Return Value Check in createGameWithToken Allows Game Creation Without Token Transfer
Summary
The createGameWithToken function uses transferFrom to collect a game entry token from the caller, but it fails to validate whether the token transfer was successful. This opens the contract to abuse by malicious or non-standard ERC-20 tokens that return true without actually transferring tokens, allowing players to create games without paying the required token.
Vulnerability Details
Function Affected: createGameWithToken
Line: 122 – 149
Code Location:
This call is not checked for success. According to the ERC-20 standard, transferFrom should return a boolean indicating success or failure. If the token contract is malicious or improperly implemented (e.g., always returning true), the game will be created despite no token being received.
Impact
Tokenless game creation: Malicious users can bypass the entry fee, playing for free.
False state assumptions: The contract may assume it has a token it doesn't actually hold.
Trust erosion: Honest users pay entry fees, while attackers play for free—undermining fairness.
ERC-20 compatibility risks: Non-compliant tokens or proxy/wrapped tokens could abuse this silently.
Proof of Concept (PoC)
A user could deploy this token, approve the RockPaperScissors contract to spend from it, and then create a game via createGameWithToken() without sending any tokens.
Tools Used
Manual Code Review
Custom ERC-20 Token Contract
Recommendations
Validate the return value of transferFrom to ensure the token transfer succeeded:
This ensures only users who successfully send a token can create a game.
Appeal created
Missing Check on External Call Return Value
ERC20 implementation typically reverts on transfer failures
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.