Rock Paper Scissors

First Flight #38

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Token Transfer Validation Enables Underpayment Exploit

nonanondores

Summary

The joinGame function uses transferFrom() but does not verify how many tokens were actually received. This opens up underpayment exploits with ERC20s that include fees or have broken implementations.

Vulnerability Details

IERC20(token).transferFrom(msg.sender, address(this), betAmount);

This code assumes success and the full amount, but certain tokens (e.g., fee-on-transfer tokens) reduce the transferred amount.

Impact

Malicious users may join games without committing the full stake.

Honest users are at financial disadvantage.

Tools Used

Manual review

Custom ERC20 mocks with fee-on-transfer behavior

Recommendations

Validate the contract balance before and after:

uint256 before = IERC20(token).balanceOf(address(this));

IERC20(token).transferFrom(...);

uint256 after = IERC20(token).balanceOf(address(this));

require(after - before == betAmount, "Incorrect token amount received");

Updates

Appeal created

m3dython Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

349

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.