deadrxsezzz - USDT will get permanently stuck in FootiumPrizeDistributor.sol and FootiumEscrow.sol

[sherlock-admin]

deadrxsezzz

medium

USDT will get permanently stuck in FootiumPrizeDistributor.sol and FootiumEscrow.sol

Summary

As stated in the docs, the contracts are stated to work with any ERC20 tokens. If USDT or any USDT-like tokens are sent to FootiumPrizeDistributor.sol and FootiumEscrow.sol, they will be forever stuck.

Vulnerability Detail

FootiumEscrow.sol and FootiumPrizeDistributor.sol use such IERC20/IERC20Upgradeable interfaces, that expect a boolean to be returned from the transfer method. USDT, for example, doesn't return such value. When calling FootiumEscrow.sol#setApprovalForERC20 FootiumEscrow.sol#transferERC20 and FootiumPrizeDistributor.sol#claimERC20Prize the address of the token is expected to comply with the IERC20 interface. Since USDT doesn't comply with the interface the transactions will revert. Any USDT-like sent to any of the two contracts mentioned will get permanently lost.
Note:
Since USDT does not return a boolean when .transferFrom is called, but the ERC20 interface used defines that there will be a boolean returned, the compiler will check whether the returndatasize() is 32 bytes (one word size) and revert if this is not true.

Impact

Permanent loss of any USDT/ USDT-like tokens sent to FootiumPrizeDistributor.sol and FootiumEscrow.sol

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L106
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L106
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L76

Tool used

Manual Review

Recommendation

Do not use IERC20 interface. Also, use SafeERC20 library

Duplicate of #14