TwentyOne
First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

[M-0] Insufficient check of the sent wager (TwentyOne::startGame())

nun

Summary

Wrong check for sent wager in TwentyOne::startGame() function.

Vulnerability Details

Description: In line 2 of the TwentyOne::startGame() function, the wager gets checked to be the value of 1 ETH or above, instead of checking it to be the exact value of 1 ETH.

Impact

This leads to the possibility of players losing part of their wagers even on a win, since the contract payout is designed to be relative to 1 ETH wager, not the actual sent wager. While not exploitable, this might result in loss of funds by a player.

Tools Used

Remix for a quick PoC.

Recommendations

Changing the conditional revert in line 2 of TwentyOne::startGame() to instead check for the exact value of 1 ETH will mitigate the issue. Additionally, putting the conditional revert on line 1 might improve gas cost on a revert.
Code example:

function startGame() public payable returns (uint256) {
require(msg.value == 1 ether, "not enough ether sent");
address player = msg.sender;
initializeDeck(player);
uint256 card1 = drawCard(player);
uint256 card2 = drawCard(player);
addCardForPlayer(player, card1);
addCardForPlayer(player, card2);
return playersHand(player);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID] User mistake, too much ETH sent

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.