In createGameWithEth
, the contract accepts any msg.value >= minBet like 0.01 ETH as the bet amount and in joinGameWithEth
, player B must match this exact amount (msg.value == game.bet). If player A sends more ETH than intended like 0.02 ETH the excess is not refunded and becomes part of the bet, increasing the stake without explicit user consent.
The vulnerable code can be found here:
If a user accidentally sends 1 ETH instead of 0.01 ETH, the entire amount is locked as the bet and player B must match it, which deters participation or escalating the stake unintentionally. The excess is not lost it’s paid out in _finishGame
or refunded in _cancelGame
but it could confuse users and lead to unintended exposure.
Depends on user error, which is mitigated by front end interfaces but not enforced onchain. No funds are stolen, but it’s a usability flaw that could frustrate players or lead to disputes.
To solve this I would cap the bet at a reasonable maximum or refund excess ETH, like so:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.