Rock Paper Scissors

🪙 Finding: Unlimited Token Inflation via Centralized Minting Authority

📌 Summary

The WinningToken.sol contract used in the RockPaperScissors.sol DApp includes a mint() function that is protected by the Ownable modifier. However, there is no cap or supply limitation in the contract, allowing the owner to mint unlimited tokens. This introduces a centralized control point that can break the integrity and fairness of the game reward mechanism.

🔍 Vulnerable Code

File: WinningToken.sol

• The mint() function can be called by the owner at any time with any amount.

• There is no maxSupply constraint or governance mechanism to limit its usage.

💥 Impact

• The admin (initially the RockPaperScissors contract or its deployer) can arbitrarily issue an unlimited number of winner tokens.

• Undermines the value of the token as a symbol of winning or rarity.

• Allows for manipulated access to token-based games, where fake tokens could be minted and reused.

• Violates the decentralization principle stated in the project documentation.

🔒 Recommendation

To mitigate the risk of inflation and abuse:

1. Introduce a max supply constraint:

1. Alternatively, replace Ownable with AccessControl and restrict minting only to the RockPaperScissors contract:

1. Document the intended supply model in the contract or project documentation.

✅ Conclusion

Unlimited minting without restrictions introduces a centralization and inflation risk that contradicts the protocol’s stated goal of fairness and decentralization. Implementing simple supply constraints or access controls ensures trustless reward distribution and enhances the protocol's integrity.

✅ Tool Used

Manual Review