Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Directly send ETH funds, are permanently locked in the contract

vladich0x

Root + Impact

Directly send ETH funds, are permanently locked in the contract

Description

The Game.sol smart contract contains receive() function, allowing unrestricted direct ETH transfers:

@> receive() external payable {}

The smart contract logic provides mechanism to withdraw the platform fees from the smart contract owner:

function withdrawPlatformFees() external onlyOwner nonReentrant {

uint256 amount = platformFeesBalance;

require(amount > 0, "Game: No platform fees to withdraw.");

platformFeesBalance = 0;

(bool success, ) = payable(owner()).call{value: amount}("");

require(success, "Game: Failed to withdraw platform fees.");

emit PlatformFeesWithdrawn(owner(), amount);

}

and winners could withdraw their pending prizes, accumulated during the games:

function withdrawWinnings() external nonReentrant {

uint256 amount = pendingWinnings[msg.sender];

require(amount > 0, "Game: No winnings to withdraw.");

(bool success, ) = payable(msg.sender).call{value: amount}("");

require(success, "Game: Failed to withdraw winnings.");

pendingWinnings[msg.sender] = 0;

emit WinningsWithdrawn(msg.sender, amount);

}

Thus, any direct ETH transfer sent to the smart contract will lead to lock of ETH funds and their accumulation within the smart contract without any mechanism to be withdrawn.

Risk

Likelihood: Medium

Impact:

Any ETH sent directly to the contract are permanently locked
Users accidentally send ETH to the contract address will lose those funds, since there is no recovery mechanism for them

Proof of Concept

N/A

Tools Used

Manual review

Recommended Mitigation

Any of the following choices is a valid solution:

Remove function receive() entirely:

- receive() external payable {}

Add revert in order to block direct ETH transfers:

- receive() external payable {}

+ receive() external payable {

+ revert("Direct ETH transfers are not allowed");

+ }

Or implement appropriate withdraw function, allowing smart contract owner to withdraw the left contract funds. Implementing such mechanism should keep in mind, that all the funds related to pending winnings, should not be able to be withdrawn from the contract owner.

Updates

Appeal created

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

vladich0x Submitter

about 1 month ago

inallhonesty Lead Judge

about 1 month ago

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.