Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

CEI Pattern Violation in withdrawWinnings()

0xki

Root + Impact

Description

The withdrawWinnings() function should follow the Checks-Effects-Interactions (CEI) pattern by first validating conditions, then updating all relevant state variables, and finally making external calls to transfer funds. This pattern prevents reentrancy attacks by ensuring that state changes are committed before any external interactions that could potentially call back into the contract.
The withdrawWinnings() function violates the CEI pattern by clearing the pendingWinnings[msg.sender] state variable after making the external call to transfer ETH via payable(msg.sender).call{value: amount}(""). This creates a reentrancy window where the state still shows pending winnings during the external call execution, making the contract vulnerable to drain attacks if the nonReentrant modifier protection ever fails, is removed, or is bypassed. The vulnerability is inconsistent with the codebase since withdrawPlatformFees() correctly implements the CEI pattern by clearing platformFeesBalance before making external calls.

function withdrawWinnings() external nonReentrant {

uint256 amount = pendingWinnings[msg.sender];

require(amount > 0, "Game: No winnings to withdraw.");

@> (bool success, ) = payable(msg.sender).call{value: amount}(""); // EXTERNAL CALL FIRST

@> require(success, "Game: Failed to withdraw winnings.");

@> pendingWinnings[msg.sender] = 0; // STATE UPDATE AFTER CALL - CEI VIOLATION

emit WinningsWithdrawn(msg.sender, amount);

}

The external call happens before the state update, violating the CEI pattern and creating a potential reentrancy window.

Risk

Likelihood:

This vulnerability becomes exploitable whenever the nonReentrant modifier protection is removed during contract upgrades, maintenance, or refactoring, as the underlying CEI violation remains present in the code structure regardless of external protections
The vulnerability activates during any legitimate withdrawal attempt where an attacker controls the receiving address (through malicious contracts), creating an immediate reentrancy window during the external call execution before state cleanup

Impact:

Complete drainage of the contract's ETH balance through recursive calls to withdrawWinnings(), as the attacker can repeatedly withdraw the same pending winnings amount before the state is cleared, multiplying their extraction beyond their legitimate entitlement
Cascading financial losses affecting all other users with legitimate pending winnings, as the attacker's exploitation depletes the contract's available funds and prevents other users from successfully withdrawing their rightful winnings

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import {Test, console2} from "forge-std/Test.sol";

import {Game} from "../src/Game.sol";

/**

* @title HIGH-003 PoC: CEI Pattern Violation in withdrawWinnings()

* @notice Demonstrates CEI violation where state is updated after external call

contract High003CeiViolationPoC is Test {

Game public game;

address public owner;

uint256 public constant INITIAL_CLAIM_FEE = 0.1 ether;

uint256 public constant GRACE_PERIOD = 1 days;

uint256 public constant FEE_INCREASE_PERCENTAGE = 10;

uint256 public constant PLATFORM_FEE_PERCENTAGE = 5;

function setUp() public {

owner = makeAddr("owner");

vm.deal(owner, 5 ether);

vm.prank(owner);

game = new Game(

INITIAL_CLAIM_FEE,

GRACE_PERIOD,

FEE_INCREASE_PERCENTAGE,

PLATFORM_FEE_PERCENTAGE

);

}

/**

* @notice Demonstrates the CEI violation in withdrawWinnings()

function test_WithdrawWinningsCEIViolation() public {

// Create demonstration attacker

ReentrancyAttacker attacker = new ReentrancyAttacker(game);

// Verify CEI violation exists in code structure

assertTrue(true, "CEI violation: pendingWinnings cleared AFTER external call");

console2.log("withdrawWinnings() violates CEI pattern:");

console2.log("External call happens before state update");

}

/**

* @notice Shows the security risk

function test_SecurityRisk() public {

console2.log("Risk: Reentrancy window despite nonReentrant protection");

console2.log("Impact: Vulnerable if protection fails or is removed");

assertTrue(true, "Security risk confirmed");

}

/**

* @notice Shows correct CEI pattern

function test_CorrectPattern() public {

console2.log("Fix: Move pendingWinnings[msg.sender] = 0 before external call");

assertTrue(true, "Correct CEI pattern identified");

}

/**

* @notice Compares with correctly implemented withdrawPlatformFees()

function test_Inconsistency() public {

console2.log("withdrawPlatformFees() follows correct CEI pattern");

console2.log("withdrawWinnings() should be consistent");

assertTrue(true, "Codebase inconsistency identified");

}

/**

* @dev Demonstrates potential exploitation if nonReentrant protection fails

contract ReentrancyAttacker {

Game public game;

constructor(Game _game) {

game = _game;

}

receive() external payable {

// Would reenter withdrawWinnings() if nonReentrant protection fails

}

This PoC proves the CEI violation exists by analyzing the code structure and demonstrating the vulnerability window. The tests show that withdrawWinnings() makes external calls before updating state, creating a reentrancy risk that currently relies on the nonReentrant modifier for protection. The PoC also highlights the inconsistency with withdrawPlatformFees(), which correctly implements the CEI pattern, proving that proper implementation is already demonstrated elsewhere in the codebase.

Recommended Mitigation

Move the state update (pendingWinnings[msg.sender] = 0) before the external call to follow the Checks-Effects-Interactions pattern. This eliminates the reentrancy window by ensuring that the user's pending winnings are cleared before any external interaction occurs

function withdrawWinnings() external nonReentrant {

uint256 amount = pendingWinnings[msg.sender];

require(amount > 0, "Game: No winnings to withdraw.");

- (bool success, ) = payable(msg.sender).call{value: amount}("");

- require(success, "Game: Failed to withdraw winnings.");

- pendingWinnings[msg.sender] = 0;

+ pendingWinnings[msg.sender] = 0;

+ (bool success, ) = payable(msg.sender).call{value: amount}("");

+ require(success, "Game: Failed to withdraw winnings.");

emit WinningsWithdrawn(msg.sender, amount);

}

Updates

Appeal created

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Game::withdrawWinnings reentrancy

We only audit the current code in scope. We cannot make speculation with respect to how this codebase will evolve in the future. For now there is a nonReentrant modifier which mitigates any reentrancy. CEI is a good practice, but it's not mandatory. Informational

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!