Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

ETH Can Be Trapped Through receive() Function

icon0x

Summary

The contract accepts ETH through the receive() function but doesn't properly track or allocate these funds, causing them to become permanently trapped.

Description

The contract implements an empty receive() function that accepts ETH transfers but doesn't update the pot, platform fees, or any other tracked balance. This ETH becomes part of the contract balance but cannot be withdrawn through normal game mechanics.

Root Cause

The receive() function is implemented without any logic to handle the received ETH:

receive() external payable {}

Impact

Permanent Fund Loss: ETH sent directly to contract cannot be recovered
Accounting Discrepancies: Contract balance won't match pot + platform fees + pending winnings
Potential Exploitation: Could be used to manipulate contract balance calculations

Proof of Concept

function testReceiveFunctionIssue() public {

uint256 randomAmount = 1 ether;

uint256 contractBalanceBefore = game.getContractBalance();

// Send ETH directly to contract

vm.prank(player1);

(bool success,) = address(game).call{value: randomAmount}("");

assertTrue(success);

uint256 contractBalanceAfter = game.getContractBalance();

assertEq(contractBalanceAfter, contractBalanceBefore + randomAmount);

// ETH is trapped - not in pot or platform fees

assertEq(game.pot(), 0);

assertEq(game.platformFeesBalance(), 0);

}

Recommended Mitigation

Either remove the receive function or implement proper ETH handling:
Remove receive() function

// Remove the receive() function entirely to prevent direct ETH transfers

Updates

Appeal created

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!