Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Funds can be locked forever if someone sends ETH directly to the contract without calling `claimThrone`

vincent71399

Description: The contract does not handle cases where someone sends ETH directly to the contract without calling claimThrone,
and there is no function for the owner to withdraw these funds.

@> receive() external payable {}

Impact: This can lead to a situation where funds are locked in the contract forever, if user accidentally sends ETH to the contract directly.

Proof of Concept:
add following test to Game.t.sol and run it

function testLockedFunds() public {
uint256 initialBalance = address(game).balance;
vm.deal(address(player1), 1 ether);
vm.startPrank(player1);
(bool success, ) = address(game).call{value: 0.5 ether}("");
assertTrue(success);
assertEq(address(game).balance, initialBalance + 0.5 ether);
vm.stopPrank();
}

Recommended Mitigation:
logically there is no need to send extra ETH to the contract, so it is better to remove the receive() function.

- receive() external payable {}
Updates

Appeal created

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!