Wrong validation of deposit fee in startGame()
Summary
The README documentation specifies that a player must deposit exactly 1 ETH to start a game. However, the startGame() function only requires the player to send at least 1 ETH, which can lead to inconsistencies. Players sending more than 1 ETH will not receive the excess Ether back, resulting in potential user dissatisfaction and a mismatch between the documented and actual behavior of the contract.
Vulnerability Details
The startGame() function uses require(msg.value >= 1 ether, "not enough ether sent");, allowing players to send more than 1 ETH without receiving a refund for the excess amount.
Impact
Players could lose Ether by accidentally sending more than 1 ETH when starting a game. This undermines trust in the contract's behavior.
The discrepancy between the
READMEand the actual behavior of the contract may confuse users and reduce confidence in the system.
Tools Used
manual review
Recommendations
Modify the startGame() function to strictly require exactly 1 ETH to start a game.
Lead Judging Commences
[INVALID] User mistake, too much ETH sent
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.