The _transferReward function uses the standard ERC20 transfer method without checking its boolean return value. According to the protocol's scope, it supports all standard ERC20 tokens. Some ERC20 tokens (e.g., ZRX) do not revert the transaction if the sender has an insufficient balance or if the transfer fails; instead, they simply return false.
In Pot.sol, the claimCut function optimistically updates the user's state by zeroing out their reward balance (playersToRewards[player] = 0;) before making the external call. If the external call to transfer returns false, the transaction will not revert. Consequently, the user's state is completely wiped, but no tokens are actually transferred to their wallet.
Users will permanently lose their allocated rewards. Since their internal balance is set to 0 and they are added to the claimants array, it becomes impossible for them to retry the claim, resulting in a permanent loss of funds.
The following Foundry test demonstrates how a token that silently fails will successfully wipe the user's state without transferring any actual value.
Solidity
Utilize OpenZeppelin’s SafeERC20 wrapper to ensure that boolean return values are strictly checked and that the transaction reverts upon failure.
Solidity
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.