The Game
contract includes a receive()
function that allows it to accept ETH through plain transfers:
However, this ETH is not tracked in platformFeesBalance
or pendingWinnings
, and there is no mechanism to withdraw or recover it.
Only two functions allow ETH withdrawals:
withdrawWinnings()
: For players with pending winnings
withdrawPlatformFees()
: For the owner to withdraw tracked platform fees
Any ETH sent directly (e.g., by mistake or from a bot) will be permanently stuck in the contract.
Impact:
Funds are not lost by the contract, but they become inaccessible.
ETH could accumulate over time, unnoticed.
Option 1: Remove the recieve
function
This will prevent plain ETH transfers and reduce confusion.
Option 2: Add a withdrawal mechanism for all contract balance
Either approach would prevent ETH from being permanently locked in the contract.
There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.