Rock Paper Scissors

First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Severity: high
Valid

Use of Low-Level .call for ETH Transfers

Summary

The contract uses Solidity’s low-level .call{value: prize}("") to transfer ETH to the _winner. While .call is flexible and forwards all gas, it is also potentially dangerous:

Vulnerability Details

It forwards all available gas by default, enabling complex fallback functions on the receiving address.

This opens the door to reentrancy attacks, especially if the call is made before updating contract state (though in this specific function, state changes are done before the call — reducing risk, but still not ideal).

It does not limit or check for malicious fallback functions on _winner.

Impact

If a malicious _winner address has a fallback or receive function that makes a recursive external call back into the contract, and if other functions are exploitable, this could lead to reentrancy vulnerabilities.

Even if the function is safe from reentrancy, relying on .call can result in unexpected behavior or gas griefing if the receiver consumes too much gas.

Tools Used

Manual Code review

Recommendations

  1. Use transfer or send.

  2. Recommended Pattern: Check-Effects-Interactions + Pull Payment Model

  3. If you want to keep .call, ensure no external calls are made before internal state is fully updated

Updates

Appeal created

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Denial of Service (DoS) due to Unhandled External Call Revert

Malicious player wins a game using a contract that intentionally reverts when receiving ETH, the entire transaction will fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.