You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 5, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
The transfer of ERC20 prizes may fail without reverting, resulting in the funds becoming locked
Summary
Some ERC20 tokens do not revert when a transaction fails, resulting in users' funds being locked and inaccessible to them.
Vulnerability Detail
The claimERC20Prize() function can have unpredictable behavior or cause fund loss because some ERC20 tokens do not revert or return 0 upon transfer failure.
The claimERC20Prize() function does not include a check to ensure that the token transfer was successful. This means that if a transfer fails, the ERC20 tokens will still be marked as claimed from the PrizeDistributor contract, even though the user did not receive them.
For more detailed information, please refer to the following material: https://github.com/d-xo/weird-erc20#no-revert-on-failure.
Impact
This causes the funds of user to be locked and made inaccessible to them.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
PokemonAuditSimulator
medium
The transfer of ERC20 prizes may fail without reverting, resulting in the funds becoming locked
Summary
Some ERC20 tokens do not revert when a transaction fails, resulting in users' funds being locked and inaccessible to them.
Vulnerability Detail
The
claimERC20Prize()
function can have unpredictable behavior or cause fund loss because some ERC20 tokens do not revert or return 0 upon transfer failure.The
claimERC20Prize()
function does not include a check to ensure that the token transfer was successful. This means that if a transfer fails, the ERC20 tokens will still be marked as claimed from the PrizeDistributor contract, even though the user did not receive them.For more detailed information, please refer to the following material: https://github.com/d-xo/weird-erc20#no-revert-on-failure.
Impact
This causes the funds of user to be locked and made inaccessible to them.
Code Snippet
[FootiumPrizeDistributor/L106-L134]
Tool used
Manual Review
Recommendation
Consider modifying the specified line to mitigate the potential vulnerability. [FootiumPrizeDistributor/L130]
to:
Implementing this change will effectively eliminate the potential vulnerability.
Duplicate of #86
The text was updated successfully, but these errors were encountered: