You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 5, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver
Summary
Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver
Vulnerability Detail
The protocol supports any ERC20 token and use transfer method to transfer the ERC20 token prize to the claimer.
However, some ERC20 tokens do not revert on a failed transfer but only return a bool value (false). In this case, the tx will succeed and totalERC20Claimed is updated although the claimer receives zero amount.
Note: this is also applicable on FootiumEscrow contract although it has less impact since the owner can re-call FootiumEscrow.transferERC20 as many as he/she wants.
Impact
The claimer receives zero amount. totalERC20Claimed is updated for the claimer even though he/she didn't reveive any amount.
Code Snippet
if (value >0) {
totalERC20Claimed[_token][_to] += value;
_token.transfer(_to, value);
}
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Koolex
medium
Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver
Summary
Transferring ERC20 tokens which return a bool value and don't revert on failure will cause loss of funds for the receiver
Vulnerability Detail
The protocol supports any ERC20 token and use
transfer
method to transfer the ERC20 token prize to the claimer.However, some ERC20 tokens do not revert on a failed transfer but only return a bool value (false). In this case, the tx will succeed and totalERC20Claimed is updated although the claimer receives zero amount.
Note: this is also applicable on FootiumEscrow contract although it has less impact since the owner can re-call
FootiumEscrow.transferERC20
as many as he/she wants.Impact
The claimer receives zero amount. totalERC20Claimed is updated for the claimer even though he/she didn't reveive any amount.
Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L110
Tool used
Manual Review
Recommendation
Use a safe transfer from a library like OpenZeppelin SafeERC20 to avoid inconsistent handling of ERC20 transfer
Duplicate of #86
The text was updated successfully, but these errors were encountered: