Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unbounded totalTurns Parameter Can Lead to DoS

0xblackadam

Description:
The createGameWithEth and createGameWithToken functions allow for an unbounded _totalTurns parameter. While there is a check that totalTurns must be odd and greater than zero, there's no upper limit.

require(_totalTurns > 0, "Must have at least one turn");
require(_totalTurns % 2 == 1, "Total turns must be odd");

Impact:\

  • An attacker could set an extremely large value for _totalTurns, making it practically impossible to complete the game due to gas limitations or time constraints.

  • This could effectively lock funds in the contract indefinitely.

  • The impact is amplified when users stake significant amounts of ETH or valuable tokens.

  • Waste significant gas for victims who attempt to play

Recommendation:
Implement a reasonable maximum limit for _totalTurns:

require(_totalTurns > 0 && _totalTurns <= MAX_TURNS, "Invalid number of turns");

Where MAX_TURNS is a constant defined at the contract level (e.g., 21).

Tools Used

  • Manual code review

Updates

Appeal created

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.