You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 5, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Unsafe usage of transfer method can lead to stuck tokens in the protocol smart contracts.
Vulnerability Detail
The ERC20 transfer method is called in claimERC20Prize and transferERC20, but does not check if the returned bool value is true. This is problematic because there are tokens on the blockchain which actually do not revert on failure but instead return false (example is ZRX). From the documentation provided we can see that all ERC20 tokens can be used which makes this scenario quite possible.
Impact
If such a token is used and a transfer fails, the tokens will be stuck in the smart contracts forever ( FootiumPrizeDistributor and/or FootiumEscrow).
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
ddimitrov22
medium
Unsafe usage of transfer method
Summary
Unsafe usage of
transfer
method can lead to stuck tokens in the protocol smart contracts.Vulnerability Detail
The ERC20 transfer method is called in
claimERC20Prize
andtransferERC20
, but does not check if the returnedbool
value istrue
. This is problematic because there are tokens on the blockchain which actually do not revert on failure but instead returnfalse
(example isZRX
). From the documentation provided we can see that all ERC20 tokens can be used which makes this scenario quite possible.Impact
If such a token is used and a transfer fails, the tokens will be stuck in the smart contracts forever (
FootiumPrizeDistributor
and/orFootiumEscrow
).Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L105-L111
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131
Tool used
Manual Review
Recommendation
Use the
SafeERC20
library fromOpenZeppelin
and change thetransfer
call to asafeTransfer
call instead.Duplicate of #86
The text was updated successfully, but these errors were encountered: