TwentyOne

Summary: The contract is vulnerable to a Denial of Service (DoS) attack if the .transfer() function is used to send Ether to a contract that consumes more than 2300 gas. This could lead to failed transactions and prevent the successful transfer of Ether, causing users to be unable to withdraw their winnings or complete transactions.

Vulnerability Details:

• The .transfer() function in Solidity forwards exactly 2300 gas to the recipient. If the recipient is a contract and it consumes more than 2300 gas (such as performing state changes or calling external contracts), the transaction will fail and revert.

• In this contract, the endGame() function uses .transfer() to send Ether to the player after a game ends. If the player’s contract has a fallback or receive function that consumes more than 2300 gas, the transfer will fail.

• This could potentially lead to a DoS condition, as Ether will not be transferred, and the game’s state may be reverted.

Impact:

• Failure of Ether transfer: If the recipient contract requires more gas than allowed by .transfer(), the transaction will fail, and no Ether will be transferred to the player.

• Reversion of the transaction: Since the transaction fails, any changes to the game state (such as card updates, player records, etc.) will be reverted, leaving the contract in an inconsistent state.

• Denial of Service (DoS): Players may be unable to withdraw their winnings or interact with the contract, leading to a denial of service.

Tools Used: Manual code review

Recommendations: Denial of Service (DoS) Vulnerability Due to Gas Limitation in .transfer() Function