This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
MiloTruck - Users might lose funds as claimERC20Prize()
doesn't revert for no-revert-on-transfer tokens
#86
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Medium
A valid Medium severity issue
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
labels
May 10, 2023
This was referenced May 10, 2023
Closed
Closed
Closed
This was referenced May 10, 2023
Closed
Closed
logiclogue
added
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
labels
May 15, 2023
This was referenced Jun 1, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
MiloTruck
medium
Users might lose funds as
claimERC20Prize()
doesn't revert for no-revert-on-transfer tokensSummary
Users can call
claimERC20Prize()
without actually receiving tokens if a no-revert-on-failure token is used, causing a portion of their claimable tokens to become unclaimable.Vulnerability Detail
In the
FootiumPrizeDistributor
contract, whitelisted users can callclaimERC20Prize()
to claim ERC20 tokens. The function adds the amount of tokens claimed to the user's total claim amount, and then transfers the tokens to the user:FootiumPrizeDistributor.sol#L128-L131
As the the return value from
transfer()
is not checked,claimERC20Prize()
does not revert even when the transfer of tokens to the user fails.This could potentially cause users to lose assets when:
_token
is a no-revert-on-failure token.claimERC20Prize()
withvalue
higher than the contract's token balance.As the contract has an insufficient balance,
transfer()
will revert and the user receives no tokens. However, asclaimERC20Prize()
succeeds,totalERC20Claimed
is permanently increased for the user, thus the user cannot claim these tokens again.Impact
Users can call
claimERC20Prize()
without receiving the token amount specified. These tokens become permanently unclaimable for the user, leading to a loss of funds.Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131
Tool used
Manual Review
Recommendation
Use
safeTransfer()
from Openzeppelin's SafeERC20 to transfer ERC20 tokens. Note thattransferERC20()
inFootiumEscrow.sol
also usestransfer()
and is susceptible to the same vulnerability.The text was updated successfully, but these errors were encountered: