search

sherlock-audit / 2023-04-footium-judging

13 stars 7 forks source link

0xnirlin - User may not be able to claim any rewards due to use of transfer in `claimErc20Prize` #359

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xnirlin

high

User may not be able to claim any rewards due to use of transfer in claimErc20Prize

Summary

in FootiumPrizeDistribution contract in claimErc20Prize function uses the transfer instead of safeTransfer which can lead to unclaimed prize for user if the token don't revert on failed transfer and instead return boolean false on revert like ZRX

Vulnerability Detail

As in sherlock discription the protocol allows all erc20 token which includes the implementation of tokens which do not revert on transfer failure but instead return a boolean false, so if such token is being used as reward token for prize distribution is user claim his erc20 reward and boolean false is returned it can lead updating the mapping and user will be unable to claim any reward.

Look at following snippet from the claimErc20Prize function:

        if (value > 0) {
            totalERC20Claimed[_token][_to] += value;
            _token.transfer(_to, value);
        }

so if value is greater than 0 and mapping is updated for token claimed, and in next line transfer fails we will still move on with the transaction and all the states will be updated as the user claimed the token which is actually not true.

Impact

User will not be able to claim any prize.

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131

Tool used

Manual Review

Recommendation

use safeTransfe library from openzeppelin for erc20 transfers.

Duplicate of #86