Rock Paper Scissors

First Flight #38

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing Protocol Fee, It's Giving players an opportunity to Create and Join the game without paying any fees.

redhossain

Summary

The smart contract is designed to take a 10% protocol fee from game bets, but this functionality is not implemented. Currently:

1: Players pay the full bet amount

2: The protocol receives no revenue from games

Vulnerability Details

function testCreateGameWithEthSendsZeroFees() public {

uint256 betAmount = 1 ether;

uint256 initialFeeCollectorBalance = feeCollector.balance;

// PlayerA creates a game

vm.prank(playerA);

game.createGameWithEth{value: betAmount}(3, 5 minutes);

// Fee collector received NOTHING (balance unchanged)

assertEq(

feeCollector.balance, initialFeeCollectorBalance, "Protocol fee was sent!"

);

}

function testJoinGameWithEthSendsZeroFees() public {

uint256 betAmount = 1 ether;

uint256 initialFeeCollectorBalance = feeCollector.balance;

// PlayerA creates a game

vm.prank(playerA);

game.createGameWithEth{value: betAmount}(3, 5 minutes);

// PlayerB join the game

vm.prank(playerB);

game.joinGameWithEth{value: betAmount}(gameId);

// Fee collector received NOTHING (balance unchanged)

assertEq(

feeCollector.balance, initialFeeCollectorBalance, "Protocol fee was sent!"

);

}

Missing Fee Logic: The RockPaperScissors::CreateGameWithEth and RockPaperScissors::JoinGameWithEth functions do not calculate the protocol fee before locking funds.
No Fee Collector Interaction: There is no logic to transfer fees to a protocol-owned address.
Unused Constant: PROTOCOL_FEE_PERCENT is defined but never applied in the contract.

Impact

Lost Revenue: The protocol misses out on its 10% fee.

Unfair Economics: Players benefit fully, while the protocol gets nothing.

Recommendations

Deduct Fees on Entry

Modify RockPaperScissors::createGameWithEth, and RockPaperScissors::joinGameWithEth to deduct 10% from bets.

+ uint256 fee = (msg.value \* PROTOCOL\_FEE\_PERCENT) / 100;

+ uint256 remainingBet = msg.value - fee;

+ payable(feeCollector).transfer(fee); // Send fee to protocol

Updates

Appeal created

m3dython Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

m3dython Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

349

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.