Rock Paper Scissors

Summary

https://github.com/CodeHawks-Contests/2025-04-rock-paper-scissors/blob/25cf9f29c3accd96a532e416eee6198808ba5271/src/RockPaperScissors.sol#L238

The RockPaperScissors contract utilizes a commit-reveal scheme where players submit a hash of their move combined with a salt. However, there is no mechanism to ensure the uniqueness of each commitment. This opens the possibility for replay attacks, where the same commit hash can be reused across multiple games, potentially undermining the fairness and integrity of the system.

Vulnerability Details

The contract generates a commitment hash using:

This hash can be reused in multiple games or by multiple users, especially if the salt is weak, reused, or predictable. Since the contract does not bind the commitment to the sender's address or the game context (e.g., game ID), this allows:

A player to reuse a commitment from a past game.

A malicious actor to observe a previously revealed move and salt pair, recreate the commitment hash, and reuse it in another game.

Impact

Replayability: Commitments can be copied and reused across games.

Predictability: Weak or reused salts make it easier to reverse-engineer moves.

Fairness Violation: The contract allows replayed commitments, enabling strategic manipulation or exploitation of the game.

This degrades the integrity of the commit-reveal scheme and may allow malicious actors to gain an unfair advantage.

Tools Used

Recommendations

Bind Commitment to Sender Include the player’s address when generating the commitment: