A critical Denial-of-Service vulnerability in the commitMove
function where players can indefinitely stall game progression after the first turn. This vulnerability allows malicious actors to lock funds and disrupt legitimate gameplay, potentially causing significant financial losses and reputational damage.
Commit Phase Timeout
commitMove
function
Staked ETH/tokens remain permanently locked
Potential total loss of deposited funds
Unrecoverable assets due to indefinite game stall
Manual code review of commitMove
function
Implement timeout mechanism for commit phase
Attack allows a player to reveal their move for the next turn before the opponent commits
Attack allows a player to reveal their move for the next turn before the opponent commits
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.