Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: low
Invalid

Untracked Direct ETH Transfers

gurmeetkalyan

Root + Impact

Description

  • Normal behavior: All ETH received by the contract should either be tracked or explicitly rejected, ensuring no funds become inaccessible.


  • Issue: The receive() function does nothing but accept ETH. ETH sent directly (via selfdestruct or a simple transfer) increases the contract’s balance but is not recorded in pot or platformFeesBalance:

    receive() external payable {}
// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • While arbitrary ETH transfers are less common, any address can send ETH to the contract, including by accident

Impact:

  • Locked Funds: ETH received via receive() becomes unrecoverable because there is no withdrawal mechanism for unaccounted funds.


  • Incorrect Accounting: getContractBalance() no longer equals the sum of pot + platformFeesBalance, leading to confusion.

Proof of Concept

// Someone sends ETH directly, bypassing claimThrone().
address(game).call{value: 1 ether}("");
// The 1 ether is not added to pot or fees.
// game.getContractBalance() == initial balance + 1 ether
// pot and platformFeesBalance remain unchanged.

Recommended Mitigation

Reject unexpected transfers:

receive() external payable {
revert("Direct ETH transfers not allowed");
}
Updates

Appeal created

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!