The contract uses blockhash(blockNumber) to determine the correctness of a user's guess. However, blockhash returns zero for blocks older than 256 blocks. An attacker can lock in a guess of zero and wait until the target block is more than 256 blocks old. When settle() is called, blockhash returns zero, matching the attacker's guess, allowing them to steal the funds. This flaw makes the game trivially exploitable.
Add a check in settle() to ensure the current block is within 256 blocks of the guessed block. Modify the require statement to require(block.number > guesses[msg.sender].block && block.number <= guesses[msg.sender].block + 256, "Settlement window expired"); This ensures blockhash returns the actual hash, not zero.
Line 25 – 37
