You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 5, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
With an ERC20 token with No Revert on Failure, the token is recognized as withdrawn even though it has not been withdrawn.
Summary
Some tokens do not revert on failure, but instead return false (e.g. ZRX).
If the implementation does not check the return value, processing proceeds as if the transfer succeeded even though it failed.
Vulnerability Detail
In FootiumPrizeDistributor's claimERC20Prize, the token is transferred with _token.transfer(_to, value). However. This does not check the return value, so even if it fails, the process proceeds as if it had succeeded.
Impact
The user does not receive the token but is recorded as having received it. It is a substantial loss of funds.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
innertia
medium
With an ERC20 token with No Revert on Failure, the token is recognized as withdrawn even though it has not been withdrawn.
Summary
Some tokens do not revert on failure, but instead return
false
(e.g. ZRX).If the implementation does not check the return value, processing proceeds as if the transfer succeeded even though it failed.
Vulnerability Detail
In
FootiumPrizeDistributor
'sclaimERC20Prize
, the token is transferred with_token.transfer(_to, value)
. However. This does not check the return value, so even if it fails, the process proceeds as if it had succeeded.Impact
The user does not receive the token but is recorded as having received it. It is a substantial loss of funds.
Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L130
Tool used
Manual Review
Recommendation
Use
safeTransfer
Duplicate of #86
The text was updated successfully, but these errors were encountered: