Unsafe usage of transfer method can lead to stuck tokens in the protocol smart contracts.
Vulnerability Detail
The ERC20 transfer method is called in claimERC20Prize and transferERC20, but does not check if the returned bool value is true. This is problematic because there are tokens on the blockchain which actually do not revert on failure but instead return false (example is ZRX). From the documentation provided we can see that all ERC20 tokens can be used which makes this scenario quite possible.
Impact
If such a token is used and a transfer fails, the tokens will be stuck in the smart contracts forever ( FootiumPrizeDistributor and/or FootiumEscrow).
ddimitrov22
medium
Unsafe usage of transfer method
Summary
Unsafe usage of
transfermethod can lead to stuck tokens in the protocol smart contracts.Vulnerability Detail
The ERC20 transfer method is called in
claimERC20PrizeandtransferERC20, but does not check if the returnedboolvalue istrue. This is problematic because there are tokens on the blockchain which actually do not revert on failure but instead returnfalse(example isZRX). From the documentation provided we can see that all ERC20 tokens can be used which makes this scenario quite possible.Impact
If such a token is used and a transfer fails, the tokens will be stuck in the smart contracts forever (
FootiumPrizeDistributorand/orFootiumEscrow).Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L105-L111
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L128-L131
Tool used
Manual Review
Recommendation
Use the
SafeERC20library fromOpenZeppelinand change thetransfercall to asafeTransfercall instead.Duplicate of #86