Unsafe ERC20 transfer / transferFrom Usage (Missing Return Value Check) in Multiple Functions

Summary

The protocol performs ERC20 token transfers using direct calls to transfer() and transferFrom() without verifying their return values.

Some non-standard ERC20 tokens — such as Tether (USDT) — do not revert on failure. Instead, they return false. If the return value is not checked, execution continues even when the transfer fails.

This results in silent transfer failures and inconsistent protocol state across multiple locations in the system.

Affected Locations

1️⃣ ContestManager::fundContest()

Issue

If transferFrom() returns false, the function does not revert, and the contest may appear funded while no tokens were transferred.

Impact

• Contest remains unfunded

• Protocol accounting inconsistency

2️⃣ Pot::closePot()

Issue

If transfer() silently fails:

• Manager may not receive funds

• Execution continues as if successful

This may lead to incorrect distribution logic.

3️⃣ Pot::_transferReward()

Issue

If transfer fails:

• Player does not receive reward

• Contract does not detect failure

• Funds may remain locked in contract

Root Cause

The protocol directly calls:

• transfer()

• transferFrom()

without checking the returned boolean value.

This breaks compatibility with non-standard ERC20 tokens that return false instead of reverting.

Risk Assessment

Likelihood: Medium

• Occurs when a non-standard ERC20 token is used.

• The protocol allows arbitrary ERC20 selection.

Impact: High

• Silent funding failure

• Reward distribution failure

• Locked funds

• Denial of service for contest participants

• Severe trust damage

Recommended Mitigation

Use OpenZeppelin’s SafeERC20 library to ensure safe token transfers.

Import:

Apply to all ERC20 transfers:

Fix 1 – fundContest

Fix 2 – closePot

Fix 3 – _transferReward