Malicious contract can cause reverts on transfered funds
Summary
In _cancelGame, the sucessful transfer of funds to both players depends on both calls being successful, if either one fails the whole transaction is reverted.
Vulnerability Details
_cancelGame implements a push-based approach in transfering the funds back to the users insead of a pull-based approach.
Impact
If either user in a game is a malicious contract which causes a revert upon receving ETH, the other user will not be able to receive their funds, essentially keeping the funds locked in the contract.
Tools Used
Recommendations
Implement a pull-based approach where users can withdraw their funds separately instead of depending on this function to send them the funds.
Appeal created
Denial of Service (DoS) due to Unhandled External Call Revert
Malicious player wins a game using a contract that intentionally reverts when receiving ETH, the entire transaction will fail
Denial of Service (DoS) due to Unhandled External Call Revert
Malicious player wins a game using a contract that intentionally reverts when receiving ETH, the entire transaction will fail
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.