Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

User locks the funds by calling createGameWithToken() with msg.value

dappscout

Summary

When creating a game with tokens using createGameWithToken(), the function does not check if ETH was sent with the transaction. Any ETH accidentally sent will be lost forever.

Vulnerability Details

The createGameWithToken() function is meant to create games using tokens instead of ETH. However:

  1. The function does not check if msg.value > 0

  2. Any ETH sent with this function call gets trapped in the contract

  3. There is no way to recover this ETH

function createGameWithToken(uint256 _totalTurns, uint256 _timeoutInterval) external returns (uint256) {
// No check for msg.value here
require(winningToken.balanceOf(msg.sender) >= 1, "Must have winning token");
// Rest of the function...
}

Impact

Users who accidentally send ETH when creating token games will lose their funds. This is especially risky if the front-end interface doesn't prevent this mistake.

Tools Used

Manual code review

Recommendations

Add a simple check at the start of the function:

function createGameWithToken(uint256 _totalTurns, uint256 _timeoutInterval) external returns (uint256) {
require(msg.value == 0, "Do not send ETH with token games");
require(winningToken.balanceOf(msg.sender) >= 1, "Must have winning token");
// Rest of the function...
}

This will protect users from accidentally losing their ETH.

Updates

Appeal created

m3dython Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Orphaned ETH due to Unrestricted receive() or Canceled Game

ETH sent directly to the contract via the receive function or after a canceled game becomes permanently locked

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.