Root + Impact
Description
Token transfers ignore the returned boolean value.
https://github.com/CodeHawks-Contests/ai-mycut/blob/819134663950999ca5ab29a91eeceddb80274743/src/Pot.sol#L65
https://github.com/CodeHawks-Contests/ai-mycut/blob/819134663950999ca5ab29a91eeceddb80274743/src/Pot.sol#L55
and in the ContestManager contract
https://github.com/CodeHawks-Contests/ai-mycut/blob/819134663950999ca5ab29a91eeceddb80274743/src/ContestManager.sol#L37
Some ERC20 implementations return false instead of reverting on failure.
Ignoring the return value may cause the protocol to assume transfers succeeded when they actually failed.
Risk
Likelihood:
Likely
Impact:
Possible consequences include:
rewards marked as claimed without being transferred
manager fees silently failing
redistribution silently failing
accounting becoming inconsistent with token balances
Proof of Concept
A non-standard ERC20 returns false instead of reverting.
claimCut() executes:
https://github.com/CodeHawks-Contests/ai-mycut/blob/819134663950999ca5ab29a91eeceddb80274743/src/Pot.sol#L43
https://github.com/CodeHawks-Contests/ai-mycut/blob/819134663950999ca5ab29a91eeceddb80274743/src/Pot.sol#L44
The transfer silently fails.
The user's entitlement is erased even though no tokens were received.
Recommended Mitigation
Use OpenZeppelin's SafeERC20 library.
using SafeERC20 for IERC20;
token.transferFrom(msg.sender, address(pot), totalRewards);- remove this code
i_token.transfer(player, reward); remove this code
i_token.safeTransfer(player, reward); + add this code
token.safeTransferFrom(...); + add this code