Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Manipulation of reveal deadline in the timeoutReveal function.

josephomeizajames

Summary

The revealMove() function uses block.timestamp to enforce deadlines in the game which could be manipulated by a malicious miner.

Vulnerability Details

The reveal deadline is enforced by the line of code:

require(block.timestamp <= game.revealDeadline, "Reveal phase timed out");

which includes block.timestamp. If a malicious user who controls a miner decides to cheat, he can set the reveal deadline(block.timestamp) greater than the permitted time by a few seconds thereby cheating which breaks the essence of the fairness of the game.

He can also set the deadline of the next block(Player B's game) less than the deadine time so B looses the game to idleness even if he wasn't really idle.

Impact

Malicious players can exploit this vulnerability to disrupt the fairness of the game by gaining a few more seconds to reveal and also removing some seconds from the next player.

Tools Used

Manual Review.

Recommendations

block.timestamp should be replaced by block.number which isn't controllable by miners. Chainlink Keepers and Oracles are also a better option.

Updates

Appeal created

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.