TwentyOne

First Flight #29

Beginner FriendlyGameFiFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Lack of Initial Funds for Player Payout: The Contract Cannot Pay the Player Upon Winning

osuolale

Summary

The startGame function requires players to deposit 1 ether to begin the game, with the expectation that the player will be paid 2 ether if they win. However, there is a critical flaw: the contract does not have any initial ether or any mechanism to accumulate ether, meaning it cannot pay the 2 ether back to the player upon winning. The contract balance is effectively zero at the start, and no external funding or deposit mechanism is in place to handle the payouts.

Vulnerability Details

**Proof of Concept:**

The following test case demonstrates how the lack of initial funds and the inability to return ether causes the game to fail:

Add the following to the `TwentyOne.t.sol` test file.

```javascript

function test_Call_PlayerWins() public {

// twentyOne.startGame{value: 1 ether}(); // Adjust to the actual function if needed

vm.startPrank(player1); // Start acting as player1

uint256 initialPlayerBalance = player1.balance;

console.log("player initial balance: ", initialPlayerBalance);

twentyOne.startGame{value: 1 ether}();

// Mock the dealer's behavior to ensure player wins

// Simulate dealer cards by manipulating state

vm.mockCall(

address(twentyOne),

abi.encodeWithSignature("dealersHand(address)", player1),

abi.encode(18) // Dealer's hand total is 18

);

// Player calls to compare hands

twentyOne.call();

// Check if the player's balance increased (prize payout)

uint256 finalPlayerBalance = player1.balance;

// assertGt(finalPlayerBalance, initialPlayerBalance);

console.log("player latter balance: ", finalPlayerBalance);

vm.stopPrank();

}```

</details>

it will return outOfunds Error, but with the below implementation it will workas expected

```diff

+ // Explicitly call startGame if it is supposed to handle initial ether deposit

+ //twentyOne.startGame{value: 1 ether}(); // Adjust to the actual function if needed

function setUp() public {

twentyOne = new TwentyOne();

+ // Explicitly call startGame if it is supposed to handle initial ether deposit

+ + twentyOne.startGame{value: 1 ether}(); // Adjust to the actual function if needed

vm.deal(player1, 10 ether); // Fund player1 with 10 ether

vm.deal(player2, 10 ether); // Fund player2 with 10 ether

}

```

</details>

Impact

This lack of funds in the contract means that, while the player can deposit 1 ether to start the game, the contract cannot return 2 ether to the player if they win, as it does not hold any ether at all. Consequently, the game is rendered non-functional or deceptive because the contract cannot fulfill its payout obligations. Players would deposit ether but never receive the promised winnings, leading to a broken experience, loss of trust, and potential legal issues.

Tools Used

MANUAL REVIEW: THOROUGH MANUAL REVIEW

FOUNDRY TEST: UNIT TESTING

Recommendations

To fix this issue and ensure the contract can function properly, the following solutions should be considered:

1. Initial Fund Deposit or Collection Mechanism:
The contract should have a way to accumulate ether either by allowing an external deposit (e.g., from the game creator or an admin) or by collecting a portion of each player's deposit into a common pool. This would enable the contract to return funds to players when necessary.

2. **Game Fund Management:**
A mechanism needs to be added that allows ether to be collected into the contract for payouts. This could involve requiring a fund to be deposited before the game starts, either through the game's creator or from a pool established for the purpose of payouts.

3. Balance Check Before Payout:
Before paying out the winning player, ensure that the contract has enough ether. This could be handled by implementing a require statement or a check to verify that the contract has sufficient balance. If not, revert the transaction or use an alternative mechanism to notify the user of insufficient funds.

4. **External Funding Option (if needed):**
Consider integrating external funding sources or allow the contract's creator to fund the contract periodically to ensure it can pay players upon winning.

5. Transparent Payout Expectations:
Clearly specify in the documentation or user interface that the contract must have funds in advance for payouts, and players will only be paid if the contract has sufficient balance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Insufficient balance for payouts / Lack of Contract Balance Check Before Starting Game

Contract Lacks Mechanism to Initialize or Deposit Ether

Rewards breakdown

nSLOC

147

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.