Refunds on game tie or cancellation could be forcefully reverted
Summary
Deliberate denial of token transfer can revert token refunds in a game.
Vulnerability Details
When a game ends, betting money will be refunded to the players, and checks are implemented to ensure that playerA and playerB could receive the token through direct transfer. Deliberate denial will revert the refunds.
In this case, deliberate denial when the game has one winning side has no use (other from self-harming), so we won't mention it.
However, for a tie and/or cancellation, if any player refuses the transfer, it will affect the other player as well. This can be exploited to sabotage the game - the exploiter will sacrifice their own tokens to ensure that same amount from their opponent would also be lost in the contract.
Impact
Opened possibilities for griefing / mutually assured destructions.
Recommendations
Instead of directly transfering the tokens as refunds, keep it in a mapping as to-be-refunded values for any associated address, accumulated throughout all games they had played. Such address can take those tokens back through a different withdraw transaction, independent from any game.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.