MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Unsafe ERC20 Transfers, Using Transfer instead of Safetransfer

wiz_sec

Root + Impact

Description

Describe the normal behavior in one or more sentences

Token transfers should revert on failure.
Explain the specific issue or problem in one or more sentences

The contract uses transfer() directly without checking the return value. Some ERC20 tokens return false instead of reverting.

i_token.transfer(player, reward); // @> unchecked return value

Risk

Likelihood:

Occurs when interacting with non-standard ERC20 tokens

Occurs in multi-token deployments

Impact:

Silent transfer failures
Incorrect accounting
Users do not receive funds despite state updates

Proof of Concept

Token returns false instead of reverting.

playersToRewards[player] = 0 executes.

Transfer fails silently.

User permanently loses reward.

Recommended Mitigation

Use OpenZeppelin SafeERC20, it's know to prevent silent failures and it is actually the golden standard for secure transfers

+ import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

+ using SafeERC20 for IERC20;

- i_token.transfer(player, reward);

+ i_token.safeTransfer(player, reward);

- i_token.transfer(msg.sender, managerCut);

+ i_token.safeTransfer(msg.sender, managerCut);

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!