Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Game::getContractBalance() May Return Unexpected Value

mozi

Contract allows anyone to send Ether directly to the contract causing Game::getContractBalance() Return Unexpected Value

Description

The Game::getContractBalance() function returns the raw Ether balance of the contract, it assumes that all ETH in the contract came through controlled functions and that the balance represents a valid sum of tracked internal state (like pot and platformfees).

/**
* @dev Returns the current balance of the contract (should match the pot plus platform fees unless payouts are pending).
*/
function getContractBalance() public view returns (uint256) {
@> return address(this).balance; // returns raw ether balance
}

However, the contract includes a fallback receive() function:

receive() external payable {}

This allows anyone to send Ether directly to the contract without calling a tracked logic function. As a result, address(this).balance can become higher than the expected return.

Risk

Likelihood:

  • when malicious user sends ETH directly to the contract via send() or transfer().

Impact:

  • shown misleading data

Recommended Mitigation

Change getContractBalance() to return internal variable:

function getContractBalance() public view returns (uint256) {
return pot + platformFees; // or another internal sum
}
Updates

Appeal created

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

Game::getContractBalance doesn't behave as it should

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.