First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Misuse of call for Fund Transfer in ThePredicter::cancelRegistration() function

Caesar

Relevant GitHub Links

https://github.com/Cyfrin/2024-07-the-predicter/blob/main/src/ThePredicter.sol#L62-L70

Summary

Misuse of call for Fund Transfer in ThePredicter::cancelRegistration() function. Using the low-level call function for transferring funds can lead to unexpected behavior if the recipient is a contract with fallback functions.

Vulnerability Details

Using the low-level call function for transferring funds can lead to unexpected behavior if the recipient is a contract with fallback functions.

function cancelRegistration() public {
if (playersStatus[msg.sender] == Status.Pending) {
(bool success, ) = msg.sender.call{value: entranceFee}("");
require(success, "Failed to withdraw");
playersStatus[msg.sender] = Status.Canceled;
return;
}
revert ThePredicter__NotEligibleForWithdraw();
}

Impact

This approach might inadvertently introduce vulnerabilities or unexpected interactions if the recipient contract behaves maliciously or unexpectedly.

Tools Used

Manual

Recommendations

Prefer using transfer or send methods for simple fund transfers, which have built-in safety checks.

Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.