Summary

The RockPaperScissors contract includes a receive() function, enabling it to accept direct Ether transfers. However, it lacks a corresponding function to withdraw any Ether sent to the contract address. This oversight means any Ether received will become permanently locked and irretrievable.

Vulnerability Details

The RockPaperScissors contract is equipped with a receive() external payable function. This design choice allows any user or contract to send Ether directly to the contract address without calling a specific function (e.g., sending via a standard transfer or using call{value}). While receiving Ether is possible, the contract does not contain any function that facilitates the transfer of this Ether out of the contract address to an external account or administrator. Consequently, any Ether that accumulates in the contract's balance, whether sent intentionally or accidentally, cannot be accessed or moved by anyone, including the contract deployer or admin.

Impact

Any Ether sent to the RockPaperScissors contract will be permanently locked within the contract address. This results in a permanent loss of value for the sender, as the Ether cannot be recovered by the sender, the contract owner, or any other party.

Tools Used

Manual review

Recommendations

Implement a withdrawal function that allows authorized parties (such as the contract administrator or owner) to retrieve Ether held by the contract.