The trickOrTreat()
function does not strictly validate the msg.value
against the required amount, which can lead to overpayments or underpayments.
Function: trickOrTreat()
Code Reference:
While the contract checks if the sent ETH is at least requiredCost
, it doesn’t enforce exact amounts.
This could lead to user errors or unintended behavior, especially in the case of overpayments where users send more than necessary.
Manual Code Review
Enforce strict equality for the msg.value
:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.