Submission Details
Severity:
No additional safety measures for Reentrancy attacks
Summary
Functions that make calls to external addresses are vulnerable to reentracy attacks.
Even though the CEI pattern is followed, which minimizez the risk, using a reentrancy guard will only add to the safety of the game contract.
The functions that may need additional safety:
withdrawFees
_finishGame
_handleTie
_cancelGame
Vulnerability Details
Bad intended contracts can enter recursively and drain the game contract.
Impact
Loss of funds in the game contract.
Tools Used
Manual Code Review
Recommendations
Use a reentrancy guard modifier.
For example the one from OpenZeppelin: nonReentrant
import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
For example in withdrawFees:
/**
* @notice Allows the admin to withdraw accumulated protocol fees
* @param _amount The amount to withdraw (0 for all)
*/
function withdrawFees(uint256 _amount) external nonReentrant { // Additional reentrancy guard modifier
require(msg.sender == adminAddress, "Only admin can withdraw fees");
uint256 amountToWithdraw = _amount == 0 ? accumulatedFees : _amount;
require(amountToWithdraw <= accumulatedFees, "Insufficient fee balance");
accumulatedFees -= amountToWithdraw;
(bool success,) = adminAddress.call{value: amountToWithdraw}("");
require(success, "Fee withdrawal failed");
emit FeeWithdrawn(adminAddress, amountToWithdraw);
}
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.