Trick or Treat

Summary

Smart contract wallets players in TrickOrTream without receive or fallback function will face poor experience

Vulnerability Details

The SpookySwap::trickOrTreat function provides opportunity to mint nft (treat) and if msg.value > requiredCost, it is possible for players to refund: (msg.value - requiredCost). If it is the smart contract wallet that rejects payment, the treat will not be minted, it will revert all process of player participation.
In case calling SpoolySwap::resolveTrick function, unsuccessful refund will revert _transfer.

Proof of Concepts:

1. 5 smart contracts entered the lottery without receive or fallback function

2. For all of the them transaction will be reverted bringing poor user experience.

Impact

The SpookySwap::trickOrTreat function or in case unsuccessful refund may revert many times bringing poor user experience.
The same case appears in the SpoolySwap::resolveTrick function.

Tools Used

Manual

Recommendations

There a few options to mitigate:

1. Do not allow smart contracts wallet entrants (not recommended).

2. Create a mapping of addresses -> refund amounts, so players can mint their NFT successfully, and pull their funds out themselves with a new function refund (recommended).