Description:

The RockPaperScissors contract lacks a timeout mechanism for the commit phase after both players have joined a game. While the contract implements timeouts for the join phase (via timeoutJoin()) and reveal phase (via timeoutReveal()), there is no equivalent functionality for the commit phase. This critical oversight allows a malicious player to permanently lock games in the Created state after joining, with no mechanism for the other player to recover their funds.

Attack path:

1. Player A creates a game with an ETH bet using createGameWithEth()

2. Player B joins the game using joinGameWithEth(), matching the bet amount

3. Player A has committed their move and the game state change to Committed state

4. Player B never commits a move

5. Player A can't use cancelGame() becuase GameState is no longer is Created

6. The game remains in limbo indefinitely as there is no timeout function for this phase

7. Player A's funds remain locked in the contract with no recovery mechanism

8. This can be abused at scale by malicious actors to lock substantial amounts of ETH from multiple players

Impact:

• Players can permanently lose access to their funds if opponents refuse to commit moves

• Malicious actors can intentionally join games with the purpose of locking funds

• In multi-round games, a player who is losing can refuse to commit in subsequent rounds

Recommended Mitigation:

Implement a commit phase timeout similar to the existing reveal timeout