The protocol moves reward tokens with raw transfer/transferFrom calls and never checks the boolean return value. Some ERC20 tokens (e.g. USDT and other non-standard implementations) return false on failure instead of reverting. With such tokens, a failed transfer is treated as successful, corrupting the accounting: rewards are marked as paid/claimed while no tokens actually moved.
Likelihood:
Occurs when the pot's reward token is a non-standard ERC20 that returns false instead of reverting on failure.
Impact:
A failed transfer is treated as success: playersToRewards is zeroed and the claimant is recorded, but no tokens are received — the player loses their reward and accounting diverges from real balances.
Note: with a non-standard token that returns false instead of reverting, claimCut() zeroes playersToRewards and records the claimant while no tokens move, since the transfer return value is never checked. Requires a mock false-returning ERC20 to run; the missing return-value check is evident from the source.
Use OpenZeppelin's SafeERC20 (safeTransfer / safeTransferFrom), which reverts on failure and handles non-standard tokens correctly.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.