Unmatched bet leads to user funds being stuck
Description
When the defender places a bet and transfers their rapper NFT and _credBet, it remains in the contract until matched with a potential challenger with an equal bet amount. Consequently, the defender has no mechanism to reclaim the bet if no challenger places a bet with the same amount and it remains unmatched.
Impact
The impact of this vulnerability can be significant, particularly for the defender. Without the ability to retrieve their unmatched bet, the defender could potentially lose the credited tokens permanently as well as their rapper NFT. This undermines the fairness and functionality of the betting system, eroding user trust.
Tools Used
Manual Review
Recommended Mitigation
Refund Mechanism: Implement a refund mechanism that allows the defender to reclaim the
_credBetif it remains unmatched. This ensures that users are not disadvantaged due to unmatched bets and provides a safety net against potential loss.Timeout Mechanism: Introduce a timeout mechanism that automatically cancels unmatched bets after a predefined period. This ensures that unused bets are returned to the defender in a timely manner, preventing the accumulation of unclaimed funds within the contract.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.