Refunds can fail if recipient is a contract account without receive or fallback payable function, locking funds permanently.
Summary
In the RockPaperScissors::_handleTie, both players A and B are refunded. If either of the players is a contract account without a receive or fallback payable function, the refund will fail and the entire transaction will revert. This prevents both players from being refunded and locks the funds in the contract. The RockPaperScissors contract owner will never be able to withdraw the fees associated to this game also.
Vulnerability Details
In the RockPaperScissors::_handleTie function, there is no check to see if playerA and playerB are contract accounts. If it is the case, if any of these doesn't have a fallback or receive payable function, the RockPaperScissors::_handleTie will always fail and the funds will be locked in the contract without any possibility to withdraw them.
Impact
The funds associated to this game will be locked in the RockPaperScissors contract without possibility to withdraw them.
Tools Used
Manual review
Recommendations
Implement a pull-based reward mechanism where each player can claim their share manually in case of a tie. This avoids failed external calls and gives users control over fund retrieval.
Also, allow the RockPaperScissors contract owner to claim protocol fees independently of whether players claim their refunds.
Appeal created
Denial of Service (DoS) due to Unhandled External Call Revert
Malicious player wins a game using a contract that intentionally reverts when receiving ETH, the entire transaction will fail
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.