Editing on a previous submission to correct the details
Impact
In the function awardExternalERC721 of contract PrizePool, when awarding external ERC721 tokens to the winner, the transferFrom function is called instead of safeTransferFrom. If the winner is a contract and is not aware of incoming ERC721 tokens, the sent tokens could be locked.
Handle
shw
Vulnerability details
Editing on a previous submission to correct the details
Impact
In the function
awardExternalERC721
of contractPrizePool
, when awarding external ERC721 tokens to the winner, thetransferFrom
function is called instead ofsafeTransferFrom
. If the winner is a contract and is not aware of incoming ERC721 tokens, the sent tokens could be locked.Proof of Concept
Referenced code: PrizePool.sol#L602
Recommended Mitigation Steps
Consider changing
transferFrom
tosafeTransferFrom
at line 602.