Player can send more than 1ETH, making it possible to have large ETH amounts being locked in the contract
Summary
There is no upper limit or control on the amount of ETH that can be sent in the startGame() function. A player can send any amount of ETH, as long as it is 1 ETH or more. However, if the player wins, they will only receive a fixed prize of 2 ETH, instead of a payout based on a 1:2 ratio relative to their stake.
Vulnerability Details
In the startGame() function, this line checks if the ETH amount sent is 1ETH or more.
Let's have a scenario whereby player accidentally sends 10 ETH.
-
In the event the player loses
there is no existing function that refunds the additional ETH sent. Player loses 10 ETH to the contract
-
In the event the player wins
the player instead loses 8 ETH, as the game winning is hardcoded in the endGame() function to transfer only 2 ETH to the player as seen below
There is also no withdraw function, other than within endGame(), which is capped to transfer 2ETH per win. The player's funds will then be locked in the contract, with no possibility of intervention by the owner of the TwentyOne contract.
Impact
Player's funds are locked in the contract without any maximum amount - risk of large amounts of ETH being accidentally locked can happen easily.
Tools Used
Manual Review
Recommendations
Consider only allowing 1 ETH to be sent at startGame()
Include logic or function to handle a 1:2 ratio relative to how much player has sent
Create a withdraw function only callable by the TwentyOne contract owner
Lead Judging Commences
[INVALID] User mistake, too much ETH sent
Appeal created
[INVALID] User mistake, too much ETH sent
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.