Submission Details
Severity:
Lack of replay protection in commit hashes
Summary
Commitments use keccak256(move, salt) with no unique game identifier. Risk of cross-game reuse.
Vulnerability Details
A player could reuse the same (move, salt) pair across multiple games, leading to identical hashes. Without gameId or player-specific entropy like nonce, a committed move could potentially be recognized and front-run in future games.
Impact
Cross-game commit replay vulnerability
Possible front-running or strategic leakage
Tools Used
Manual code review
Recommendations
Include unique identifiers in the hash.|
This ensures commitments are unique per game and player:
bytes32 commit = keccak256(abi.encodePacked(gameId, msg.sender, move, salt));
Updates
Appeal created
m3dython 4 months ago
Submission Judgement Published Assigned finding tags:
Lack of Salt Uniqueness Enforcement
The contract does not enforce salt uniqueness
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.