TwentyOne

Summary

The contract does not enforce the project requirement that players must wager exactly 1 ETH to participate in the game. If a player sends more than 1 ETH, the excess funds are retained in the contract without being refunded. Additionally, the game logic does not handle these excess funds, and the maximum payout remains capped at 2 ETH, as per the project details. This results in unintended financial losses for users who send more than 1 ETH.

Vulnerability Details

• Root Cause:

  • The startGame function enforces that a player wagers at 1 ETH but does not validate if exactly 1 ETH is sent:

    require(msg.value >= 1 ether, "not enough ether sent");

    ​

  • Excess Ether is locked in the contract without being refunded or affecting the game outcome.

• Symptoms:

  • If a player sends 2 ETH instead of 1 ETH:

    • The game proceeds as if only 1 ETH was wagered.

    • The extra 1 ETH is retained in the contract balance.

    • If the player wins, the maximum payout remains 2 ETH, regardless of the actual wager.

• Deviation from Project Rules:

  • The project specifies that:

    • A player must wager 1 ETH to play.

    • The maximum payout for a win is 2 ETH.

  • Allowing excess wagers contradicts these rules and creates ambiguity.

Impact

• Financial Loss:

  • Players who send more than 1 ETH lose the excess amount, as it is locked in the contract and not refunded.

• Violation of Game Rules:

  • The contract does not enforce the stated rule that players must wager exactly 1 ETH, undermining game integrity.

• Transparency and Trust Issues:

  • Players may believe their excess wager increases their payout, leading to confusion or dissatisfaction when they only receive a fixed 2 ETH payout.

Tools Used

Manual code review.

Recommendations

1. Enforce Exact Wager Amount:

   • Update the startGame function to ensure the player sends exactly 1 ETH:

     require(msg.value == 1 ether, "Wager must be exactly 1 ETH");

     ​