Unchecked Return Value in `createGameWithToken` function
Summary
The createGameWithToken function has an unchecked return value vulnerability in its ERC20 token transfer operation.
Vulnerability Details
This happens when calling transferFrom on the winningToken ERC20 token interface. In the ERC-20 standard, transferFrom returns a boolean (true or false) to indicate whether the transfer succeeded. The return value is not checked, so if the transfer fails for any reason, the function will not revert, it will go ahead and create a game even when a token was not transferred.
Impact
This could lead to game creation without the transfer of required token thus violating the business logic.
Could also lead to inconsistency between game state and actual token holdings.
Malicious users could spam games without paying the token.
Tools Used
Manual Review
Recommendations
It is recommended to use OpenZeppelin's SafeERC20 library which provides safe wrappers around ERC20 operations.
Appeal created
Missing Check on External Call Return Value
ERC20 implementation typically reverts on transfer failures
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.