Summary

The current contract implementation does not provide a way to ensure that the contract has enough ether to pay out winnings if only one player participates. This issue prevents users from receiving their correct winnings and occurs when no other players can balance the wager pool. To resolve this, the contract should be pre-funded or have a mechanism to ensure it retains enough ether to cover winnings before players are allowed to start a game.

Vulnerability Details

In the current contract implementation, if a player (e.g., player1) sends 1 ether to initiate a game and is the sole player participating, the contract has no available ether balance to pay out the winnings. If player1 wins, they should receive 2 ether (their original wager of 1 ether plus 1 ether as their winnings). However, since the contract does not hold any ether prior to gameplay, it is unable to pay out the correct winnings, effectively preventing the player from withdrawing their rewards.

This issue persists in scenarios where there are no other players, meaning the contract is unable to pay out any winnings to the player, as there is no "loser" from whom to collect the funds. This can occur repeatedly if the game continues without a loser or if a player participates alone.

Impact

The issue prevents players from receiving their winnings if they are the only one playing, as the contract lacks sufficient ether to pay out. This leads to a poor user experience, loss of trust in the protocol, and potential financial instability, as players cannot collect their rewards and the contract may hold locked funds.

Tools Used

Manual review

Recommendations

Ensure the contract is pre-funded with enough ether before players can start the game, or implement a mechanism that automatically retains a portion of each wager to cover payouts. This will guarantee there are sufficient funds for winners, even if only one player participates.