Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unhandled Token Approvals Problem

0x68

Vulnerability Details

The contract's token-based game functions (createGameWithToken/joinGameWithToken) attempt token transfers without verifying pre-approved allowances or handling ERC20 compliance variations. This implementation assumes:

  1. Players have granted unlimited approval to the contract

  2. All ERC20 tokens used will revert on failed transfers

These assumptions conflict with real-world ERC20 implementations where:

  • Some tokens return false instead of reverting on transfer failures

  • Users might approve exact amounts rather than unlimited allowances

Impact

High Severity:

  • Transactions may unexpectedly revert due to insufficient allowances

  • Partial approvals could lock game creation/joining

  • Non-compliant ERC20 tokens might allow transfers without proper checks

Recommendations

1. Implement Allowance Verification

Add explicit checks before transfers:

function createGameWithToken(uint256 _timeoutInterval) external {
uint256 requiredAllowance = 1;
require(
winningToken.allowance(msg.sender, address(this)) >= requiredAllowance,
"Insufficient token allowance"
);
winningToken.safeTransferFrom(msg.sender, address(this), requiredAllowance);
// Rest of function
}

2. Use SafeERC20 Wrappers

Replace raw transferFrom calls with OpenZeppelin's SafeERC20:

using SafeERC20 for IERC20;
function joinGameWithToken(uint256 _gameId) external {
winningToken.safeTransferFrom(msg.sender, address(this), 1);
// Rest of function
}

3. Frontend Integration

Implement a dual-step flow in the UI:

  1. Check allowance status

  2. Trigger MetaMask approval if needed before game interaction

Updates

Appeal created

m3dython Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.