Submission Details
Severity:
Gas Limit DOS by transfering winner fees
Summary
the usage of built-in transfer function is limited to 2300 gas only.
Vulnerability Details
By ending the game the transfer method is used, which is tied to a 2300 gas limitation being not enough to successfully transfer to accounts containing heavy computation for ether receives.
function endGame(address player, bool playerWon) internal {
delete playersDeck[player].playersCards; // Clear the player's cards
delete dealersDeck[player].dealersCards; // Clear the dealer's cards
delete availableCards[player]; // Reset the deck
if (playerWon) {
=> payable(player).transfer(2 ether); // Transfer the prize to the player
emit FeeWithdrawn(player, 2 ether); // Emit the prize withdrawal event
}
}
Impact
Winner account won't receive fees.
Tools Used
Manual Review
Recommendations
use low level call function instead of transfer
function endGame(address player, bool playerWon) internal {
delete playersDeck[player].playersCards; // Clear the player's cards
delete dealersDeck[player].dealersCards; // Clear the dealer's cards
delete availableCards[player]; // Reset the deck
if (playerWon) {
- payable(player).transfer(2 ether);
+ (bool success,) = msg.sender.call{ value: 2 ether }("");
+ require(success);
emit FeeWithdrawn(player, 2 ether); // Emit the prize withdrawal event
}
}
Rewards breakdown
nSLOC
147This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.