Lack of validation of commitment hash leads to a corrupt game state transition
Summary
The RockPaperScissors contract contains a significant vulnerability in the commitMove() function that allows a player to manipulate the game state by submitting a zero hash as their move commitment. This illegitimately changes the game state to GameState.Committed, which prevents the legitimate execution of cancelGame() and timeoutJoin() functions since these require the game to be in the GameState.Created state. This creates a Denial of Service (DoS) vector where a malicious player can block normal game flow and trap the opponent's funds for a time.
Vulnerability Details
The commitMove() function does not validate that the submitted hash is non-zero before updating the game state to GameState.Committed. A malicious player can exploit this by submitting a commitment with bytes32(0), which isn't a legitimate move commitment but still triggers the state transition.
Impact
-
Players can be denied the ability to cancel games or claim timeout when appropriate.
-
ETH or token stakes can be temporarily locked in the contract.
-
A malicious player can force legitimate players to wait for longer timeout periods.
Tools Used
Foundry
Recommendations
Add validation in the commitMove() function to reject zero hash commitments.
Appeal created
Lack of Salt Uniqueness Enforcement
The contract does not enforce salt uniqueness
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.