Submission Details
Severity:
Missing non-zero ETH value in joinGameWithEt() __RockPaperScissors.sol
Summary
The joinGameWithEth function does not check whether the joining player sends a non-zero ETH value.
Vulnerability Details
Without this check, a player can join the game without contributing any ETH, effectively entering for free.
Currently, there is no validation to ensure that the player has paid, which breaks the expected behavior of ETH-based games.
function joinGameWithEth(uint256 _gameId) external payable {
Game storage game = games[_gameId];
game.playerB = msg.sender;
emit PlayerJoined(_gameId, msg.sender);
}
Impact
Free entry: A player can join without paying
Tools Used
Manual review
Recommendations
Add a check to ensure msg.value > 0 before allowing a player to join.
Corrected code:
function joinGameWithEth(uint256 _gameId) external payable {
require(msg.value > 0, "Must send ETH to join");
Game storage game = games[_gameId];
game.playerB = msg.sender;
emit PlayerJoined(_gameId, msg.sender);
}
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.