Summary

The RockPaperScissors smart contract fails to check the return value of token.transferFrom(...) in critical functions. This omission can lead to silent transaction failures, where token transfers appear to succeed but actually fail, potentially resulting in logic inconsistencies and security vulnerabilities, especially when interacting with non-standard ERC-20 tokens.

Vulnerability Details

In the smart contract, token transfers are initiated using IERC20(token).transferFrom(...), but the return value of this function is not validated. According to the ERC-20 standard, transferFrom returns a boolean value indicating success. However, some tokens may return false without reverting on failure. Without explicitly checking this return value, the contract may incorrectly assume that the token transfer succeeded. This is particularly risky in scenarios like game creation or move commitment, where tokens are transferred as bets. If the transfer silently fails, the game may proceed with incomplete or missing funds, leading to broken logic or loss of user funds. This vulnerability is commonly exploited with non-compliant or malicious ERC-20 tokens that don't revert on failure but simply return false.

Impact

Failure to check the return value of transferFrom can lead to:

• Game creation with zero or partial bet amounts

• Mismatch between recorded and actual token balances

• Exploitation by malicious tokens to bypass payments

• Potential denial of service (DoS) or stuck games

Tools Used

• Manual code review: Identified missing return value checks in token transfer logic

• Slither: Detected warnings for unchecked return values in ERC-20 interactions

Recommendations

To mitigate this vulnerability, the contract should explicitly check the return value of all transferFrom calls and revert the transaction if the call fails.