Unchecked transferFrom Leads to Token-less Game Creation in `RockPaperScissors:createGameWithToken()`
Summary
The createGameWithToken function calls winningToken.transferFrom(msg.sender, address(this), 1) without validating the return value. This is known as an unchecked ERC20 transfer vulnerability.
In Solidity, the transferFrom function of an ERC20 token returns a boolean value indicating the success or failure of the operation. If this value is not explicitly checked, malicious or non-standard tokens can falsely report a successful transfer, allowing users to bypass the token requirement.
Vulnerability Details
Transfer token to contract
This line assumes the token transfer always succeeds, without verifying it.
Proof of Concept (PoC)
A malicious token contract:
Using this fake token, an attacker calls:
No real tokens are transferred, but the game is created.
Impact
An attacker can:
Deploy a fake ERC20 token that always returns
trueorfalsefromtransferFrom.Call
createGameWithToken()to create a game without actually transferring any tokens.This undermines the token-based game logic and can result in abuse of the game system or denial-of-service against other users.
Tools Used
Manual Review
Recommendation
Update the token transfer line to
Appeal created
Informational
Code suggestions or observations that do not pose a direct security risk.
Informational
Code suggestions or observations that do not pose a direct security risk.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.