Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Stuck Funds via Receive

mavrikdev

Root + Impact

Description

  • Users can interact with the contract via ClaimThrone or other external functions.

  • Due to the empty recieve function, any funds sent directly to the contract will become stuck with the owner having no way to refund them to the user.

// Root cause in the codebase with @> marks to highlight the relevant section
receive() external payable {}

Risk

Likelihood:

  • Not likely but still possible

Impact:

  • This doesnt directly impact the game mechanics but is bad user experience.

Proof of Concept

This test proves the balance of contract increases when receiving ETH.

function test_LockedFunds() public {
vm.prank(deployer);
game = new Game(INITIAL_CLAIM_FEE, GRACE_PERIOD, FEE_INCREASE_PERCENTAGE, PLATFORM_FEE_PERCENTAGE);
vm.prank(player1);
(bool ok, ) = address(game).call{ value: 1 ether }("");
require(ok);
uint256 balance = address(game).balance;
assertEq(balance, 1 ether);
}

Recommended Mitigation

Contract should refund the eth sent by user, this will prevent any user funds being stuck in contract.

receive() external payable {
+ (bool success,) = payable(msg.sender).call{value: msg.value}("");
+ require(success, "Refund failed");
}
Updates

Appeal created

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.