Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

Lack of Payment Validation

Summary

The trickOrTreat() function does not strictly validate the msg.value against the required amount, which can lead to overpayments or underpayments.

Vulnerability Details

Function: trickOrTreat()

  • Code Reference:

require(msg.value >= requiredCost, "Insufficient ETH sent for treat");

While the contract checks if the sent ETH is at least requiredCost, it doesn’t enforce exact amounts.

Impact

This could lead to user errors or unintended behavior, especially in the case of overpayments where users send more than necessary.

Tools Used

  • Manual Code Review

Recommendations

Enforce strict equality for the msg.value:

require(msg.value == requiredCost, "Incorrect ETH amount sent");
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.