Submission Details
Severity:
Extra ETH is silently accepted and added to the pot
Silent acceptance of excess ETH in claimThrone leads to unintended pot inflation
Description
The
Game::claimThronefunctions lacks a strict equality check, this allows users to overpay. This may lead to silent ETH loss and incorrect pot inflation.
@> require(msg.value >= claimFee, "Game: Insufficient ETH sent to claim the throne.");
Risk
Likelihood:
It is easy for users to accidentally send more ETH
Impact:
-
When users unintentionally send excess ETH, it is added to the pot without refund or warning.
-
Users can lose accidentally sent ETH
Proof of Concept
Add this test to GameTest.t.sol
function test_extra_sent(address user, uint256 claimFee) public {
address safeUser = address(uint160(bound(uint256(uint160(user)), 1, type(uint160).max)));
claimFee = bound(claimFee, 0.1 ether, 1 ether);
vm.deal(safeUser, claimFee);
game.claimThrone{value: claimFee}();
}
Recommended Mitigation
Enforce exact ETH payment.
- require(msg.value >= claimFee, "Game: Insufficient ETH sent to claim the throne.");
+ require(msg.value == claimFee, "Game: Invalid ETH amount sent to claim the throne.");
Updates
Appeal created
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Overpayment not refunded, included in pot, but not in claim fee
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.