Submission Details
Severity:
Missing Overpayment Refund in startGame() Leads to Lost Player Funds
Summary
The TwentyOne contract accepts overpayments in startGame() without refunding excess ETH above the required 1 ETH bet, leading to permanent loss of player funds.
Vulnerability Details
No Overpayment Handling:
Function only checks for minimum payment
Excess ETH remains trapped in contract
function startGame() public payable returns (uint256) {
require(msg.value >= 1 ether, "not enough ether sent");
// No refund of msg.value > 1 ether
Impact
Players lose excess funds above 1 ETH
No mechanism to recover overpaid amounts
Poor user experience and potential loss of trust
Tools Used
Manual Code Review
Recommendations
Implement exact payment or refund excess:
function startGame() public payable returns (uint256) {
require(msg.value >= 1 ether, "not enough ether sent");
uint256 excess = msg.value - 1 ether;
if (excess > 0) {
(bool success,) = msg.sender.call{value: excess}("");
require(success, "Refund failed");
}
// ... rest of the function
}
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[INVALID] User mistake, too much ETH sent
Appeal created
eierina
11 months ago
inallhonesty
11 months ago
inallhonesty 11 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[INVALID] User mistake, too much ETH sent
Rewards breakdown
nSLOC
147This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.