Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Empty receive() Function Allows ETH to Be Sent Without Triggering Game Logic

priyankmakwana

Root + Impact

Description

In the original contract, the receive() function was defined but left empty:

receive() external payable {}
This allows ETH to be sent directly to the contract without triggering any logic like claiming the throne. Players could accidentally send ETH and lose funds without actually participating in the game.

This breaks the core expectation: sending ETH should attempt to claim the throne, as that is the central mechanic of the game.

By default, most wallets (e.g., MetaMask) allow sending ETH directly, and users might assume doing so interacts with the game. Since no logic was executed, the ETH would simply go into the pot without updating the king or starting a new round.

After the Fix:

The receive() function was modified to automatically call claimThrone() when ETH is received:

receive() external payable {

// Allow direct ETH transfers to claim the throne

claimThrone();

}

Risk

Likelihood:

Medium: Many users interact with smart contracts through wallet UIs or simple sends.
High on mobile or less technical users who don’t know they must call claimThrone() directly.

Impact:

Medium: Users may lose ETH unintentionally without gaining king status.
Leads to poor UX and breaks trust in the protocol.

Proof of Concept

// A player sends ETH directly to the contract

(bool sent, ) = address(game).call{value: 1 ether}("");

require(sent, "Send failed");

// No throne claimed. ETH sits in the contract.

assert(game.currentKing() != msg.sender);

Recommended Mitigation

Explanation:

Automatically call claimThrone() inside the receive() function. This ensures all ETH transfers behave as expected and preserve the integrity of the game's mechanics.

- receive() external payable {}

+ receive() external payable {

+ claimThrone();

+ }

Updates

Appeal created

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Direct ETH transfers - User mistake

There is no reason for a user to directly send ETH or anything to this contract. Basic user mistake, info, invalid according to CH Docs.

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.