Submission Details
Severity:
[H-1] Winner may never be able to withdraw funds
Summary
The winner may never be able to withdraw funds.
Vulnerability Details
As the endGame function is trying to send 2 ethers to the winner it may fail when the balance of the TwentyOne contract is less than 2 ether.
Impact
The winner may never be able to get these rewards in one go.
POC
function test_fail_PlayerWins_at_one_go() public {
vm.startPrank(player1); // Start acting as player1
twentyOne.startGame{value: 1 ether}();
// Mock the dealer's behavior to ensure player wins
// Simulate dealer cards by manipulating state
vm.mockCall(
address(twentyOne),
abi.encodeWithSignature("dealersHand(address)", player1),
abi.encode(18) // Dealer's hand total is 18
);
uint256 initialPlayerBalance = player1.balance;
// Player calls to compare hands
vm.expectRevert();
twentyOne.call();
// Check if the player's balance has increased (prize payout) which is not
uint256 finalPlayerBalance = player1.balance;
assertLe(finalPlayerBalance, initialPlayerBalance);
vm.stopPrank();
}
Tools Used
Manual review.
Recommendations
Use better logic for reward distribution.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Insufficient balance for payouts / Lack of Contract Balance Check Before Starting Game
Rewards breakdown
nSLOC
147This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.