ddimitrov22 - Unsafe usage of transfer method

[sherlock-admin]

ddimitrov22

medium

Unsafe usage of transfer method

Summary

Unsafe usage of transfer method can lead to stuck tokens in the protocol smart contracts.

Vulnerability Detail

The ERC20 transfer method is called in claimERC20Prize and transferERC20, but does not check if the returned bool value is true. This is problematic because there are tokens on the blockchain which actually do not revert on failure but instead return false (example is ZRX). From the documentation provided we can see that all ERC20 tokens can be used which makes this scenario quite possible.

Impact

If such a token is used and a transfer fails, the tokens will be stuck in the smart contracts forever ( FootiumPrizeDistributor and/or FootiumEscrow).

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L105-L111

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131

Tool used

Manual Review

Recommendation

Use the SafeERC20 library from OpenZeppelin and change the transfer call to a safeTransfer call instead.

Duplicate of #86