TwentyOne

First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Submission Details
Severity: high
Invalid

Lack of Recipient Address Validation May Lead to Unauthorized Ether Transfers

Root Cause

The contract functions hit and call can trigger Ether transfers without proper validation of the recipient address. Specifically, in the endGame function, the contract transfers Ether to the player address without ensuring that this address is the same as msg.sender who initiated the game:

function endGame(address player, bool playerWon) internal {
// ...
if (playerWon) {
payable(player).transfer(2 ether); // Transfer the prize to the player
emit FeeWithdrawn(player, 2 ether); // Emit the prize withdrawal event
}
}

There are no checks to confirm that the player parameter corresponds to the actual player who should receive the funds.

Impact

An attacker could manipulate the player address to redirect the Ether payout to an unintended recipient. This could result in unauthorized withdrawals from the contract, leading to financial losses and compromising the integrity of the game's payout mechanism.

Recommendations

  • Validate Recipient Address: Ensure that the recipient of the Ether transfer is indeed the player who started the game. Modify the endGame function to use msg.sender or securely track the player's address throughout the game.

  • Access Control: Implement checks to verify that only the rightful player can call functions that result in Ether transfers.

  • Input Sanitization: Avoid using user-supplied addresses without validation. Instead, rely on the stored player addresses associated with the game session.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.