Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Unnecessary `receive` Function Can Lead to Stuck ETH

farrellhauzan

Description

Contracts should only accept ETH through intended functions to prevent accidental fund loss and maintain clear accounting.
The contract includes a receive() function that accepts ETH sent directly to the contract address without providing any mechanism to recover these funds.

// @> Accepts ETH but provides no functionality or recovery mechanism

receive() external payable {}

Risk

Likelihood:

Users frequently send ETH directly to contract addresses by mistake
Frontend applications may incorrectly send ETH to contract address instead of specific functions

Impact:

Funds become permanently stuck in the contract
Users lose ETH with no possibility of recovery
Contract accounting becomes inconsistent
No benefit provided by allowing direct ETH deposits

Proof of Concept

receive() external payable {

// Accepts ETH but does nothing with it

}

Recommended Mitigation

Option 1: Remove the receive() function entirely:

// Simply remove this function

// receive() external payable {}

Option 2: Add recovery mechanism for stuck ETH:

// Keep receive() but add recovery function

receive() external payable {

// ETH sent directly to contract

}

function recoverStuckETH() external onlyOwner {

uint256 stuckAmount = address(this).balance - pot - platformFeesBalance;

require(stuckAmount > 0, "Game: No stuck ETH to recover");

(bool success, ) = payable(owner()).call{value: stuckAmount}("");

require(success, "Game: Failed to recover stuck ETH");

}

Option 3: Redirect direct ETH deposits to pot:

receive() external payable {

require(msg.value > 0, "Game: No ETH sent");

pot += msg.value; // Add to current game pot

emit DirectDepositToPot(msg.sender, msg.value);

}

event DirectDepositToPot(address indexed sender, uint256 amount);

Updates

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.