The contract functions hit
and call
can trigger Ether transfers without proper validation of the recipient address. Specifically, in the endGame
function, the contract transfers Ether to the player
address without ensuring that this address is the same as msg.sender
who initiated the game:
There are no checks to confirm that the player
parameter corresponds to the actual player who should receive the funds.
An attacker could manipulate the player
address to redirect the Ether payout to an unintended recipient. This could result in unauthorized withdrawals from the contract, leading to financial losses and compromising the integrity of the game's payout mechanism.
Validate Recipient Address: Ensure that the recipient of the Ether transfer is indeed the player who started the game. Modify the endGame
function to use msg.sender
or securely track the player's address throughout the game.
Access Control: Implement checks to verify that only the rightful player can call functions that result in Ether transfers.
Input Sanitization: Avoid using user-supplied addresses without validation. Instead, rely on the stored player addresses associated with the game session.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.