TwentyOne

First Flight #29

Beginner FriendlyGameFiFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[M-01] Lack of Essential Administrative Controls in TwentyOne Contract

iepathos

Summary

The TwentyOne contract lacks critical administrative controls necessary for managing a gambling contract that handles user funds. Without these controls, the contract has no mechanism to handle emergencies, manage house funds, or protect against potential vulnerabilities.

Vulnerability Details

Location: src/TwentyOne.sol

The contract currently lacks several essential administrative features:

No owner/admin role implementation
No emergency pause mechanism
No way to withdraw accumulated house funds
No way to add house funds if depleted
No mechanism to handle stuck funds

Impact

The lack of administrative controls presents several risks:

Financial Risks
- Stuck funds cannot be recovered
- House could run out of funds to pay winners
- No way to top up house funds if depleted
Security Risks
- No way to pause the contract if a vulnerability is discovered
- No way to upgrade or fix critical bugs
- No protection against potential exploits
Operational Risks
- No mechanism to handle edge cases
- No way to manage house operations
- Limited ability to respond to emergencies

Tools Used

Manual Code Review
Foundry Testing Framework
Static Analysis

Recommendations

Implement Ownable Pattern:

import "@openzeppelin/contracts/access/Ownable.sol";

contract TwentyOne is Ownable {

bool public paused;

modifier whenNotPaused() {

require(!paused, "Contract is paused");

}

function togglePause() external onlyOwner {

paused = !paused;

}

Add House Fund Management:

function withdrawHouseFunds(uint256 amount) external onlyOwner {

require(amount <= address(this).balance, "Insufficient funds");

payable(owner()).transfer(amount);

}

function addHouseFunds() external payable onlyOwner {

// Allows adding funds to the house

}

Emergency Functions:

function emergencyWithdraw() external onlyOwner {

uint256 balance = address(this).balance;

payable(owner()).transfer(balance);

}

function refundActiveGame(address player) external onlyOwner {

require(playersDeck[player].playersCards.length > 0, "No active game");

payable(player).transfer(1 ether);

delete playersDeck[player].playersCards;

delete dealersDeck[player].dealersCards;

delete availableCards[player];

}

Additional Recommendations:
- Implement a minimum house balance requirement
- Add events for administrative

Updates

Lead Judging Commences

inallhonesty Lead Judge

11 months ago

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Owner has no method to withdraw

Contract Lacks Mechanism to Initialize or Deposit Ether

Rewards breakdown

nSLOC

147

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.