Magic Number Used in Token Transfers in `createGameWithToken` and `joinGameWithToken`
Summary
The RockPaperScissors::createGameWithToken and RockPaperScissors::joinGameWithToken functions use a hardcoded value 1 for token transfers, a magic number that reduces code readability and maintainability. A named constant should be used instead.
Vulnerability Details
In RockPaperScissors::createGameWithToken and RockPaperScissors::joinGameWithToken, the contract uses the hardcoded value 1 in the winningToken.transferFrom calls to transfer tokens from the caller to the contract. This magic number lacks context, making it unclear what the value represents (e.g., the required token stake amount). Hardcoding such values reduces code readability and increases the risk of errors if the token amount needs to change in the future, as developers must manually update all instances of 1 across the codebase.
Impact
Reduced code readability, making it harder for developers to understand the purpose of the token transfer amount.
Increased maintenance burden, as changing the token stake amount requires updating hardcoded values in multiple places.
Potential for errors if the hardcoded value is inconsistently updated in future modifications.
No immediate security impact, but it violates best practices for maintainable smart contract development.
Tools Used
Manual Review
Recommendations
Appeal created
Informational
Code suggestions or observations that do not pose a direct security risk.
Informational
Code suggestions or observations that do not pose a direct security risk.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.