Koolex - Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver

[sherlock-admin]

Koolex

medium

Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver

Summary

Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver

Vulnerability Detail

The protocol supports any ERC20 token and use transfer method to transfer the ERC20 token prize to the claimer.
However, some ERC20 tokens do not revert on a failed transfer but only return a bool value (false). In this case, the tx will succeed and totalERC20Claimed is updated although the claimer receives zero amount.

Note: this is also applicable on FootiumEscrow contract although it has less impact since the owner can re-call FootiumEscrow.transferERC20 as many as he/she wants.

Impact

The claimer receives zero amount. totalERC20Claimed is updated for the claimer even though he/she didn't reveive any amount.

Code Snippet

	if (value > 0) {
		totalERC20Claimed[_token][_to] += value;
		_token.transfer(_to, value);
	}

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131

    function transferERC20(
        IERC20 erc20Contract,
        address to,
        uint256 amount
    ) external onlyClubOwner {
        erc20Contract.transfer(to, amount);
    }

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L110

Tool used

Manual Review

Recommendation

Use a safe transfer from a library like OpenZeppelin SafeERC20 to avoid inconsistent handling of ERC20 transfer

Duplicate of #86