[L-3] Missing Validation in Game Finalization
Description
The internal function _finishGame() is responsible for distributing ETH prizes (if any) and minting a token to the winner. However, it lacks any validation to ensure that the _winner address is one of the players involved in the game (playerA or playerB).
While this is not directly exploitable under the current logic—since _finishGame() is marked internal and only called from controlled game flows—this lack of defensive programming increases the risk of future bugs or misuse, especially if the contract is modified or extended.
Impact
-
Leaves the codebase prone to future logic errors.
-
Could allow token minting or ETH transfers to invalid or unintended addresses in the event of upstream logic flaws.
-
Increases maintenance risk and reduces robustness of the system.
Code
Recommended Mitigation
Add a validation check to ensure the _winner is indeed one of the participants in the game:
Additionally, consider verifying that the game is in a finalizable state (e.g., Finished) to reduce risk of misuse.
Appeal created
Informational
Code suggestions or observations that do not pose a direct security risk.
Informational
Code suggestions or observations that do not pose a direct security risk.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.