Submission Details
Severity:
Winning Token struck forever
[H-3] summary
Winning Token struck forever
vulnerability details
when we participate in the game using RockPaperScissors::createGameWithToken , here contract transfers the tokens from the player to the contract and there is not way to recover those token
Those tokens will lost forever in the RockPaperScissors contract
When a user wins in the game or the game ties , at all places we are minting the new token and not transfering the tokens that was already present in the contract
impact - High
likelyhood - High
Recommendations
We need add a function to transfer tokens from the contract to the owner
/**
* @dev Transfer the winning token to the contract owner
* @param _amount Amount of tokens ( 0 for all tokens to withdraw)
*/
function transferWinningToken(uint256 _amount) external {
require(msg.sender == adminAddress, "Only admin can withdraw Winning Token");
uint256 amountToTransfer = _amount == 0 ? winningToken.balanceOf(address(this)) : _amount;
require(amountToTransfer > 0, "No tokens to withdraw");
winningToken.transfer(msg.sender, amountToTransfer);
}
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.