Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Uncapped Token Minting via Game Logic

bigchapo21

Summary The WinningToken contract has no supply cap and allows minting of new tokens through internal game logic functions such as _cancelGame() and _finishGame(). Since tokens are minted rather than returned from escrow, players can receive new tokens upon game cancellation, while the original deposited tokens remain locked in the contract, potentially retrievable by the admin. This creates a scenario for infinite token inflation, undermining trust in the token’s value and enabling backdoor minting** **by the contract owner.

Vulnerability Details A malicious admin or automated bot could create fake games between wallets they control, trigger functions that mint new tokens repeatedly, and mint new tokens** **while accumulating the original deposited ones.

Impact 1) Admin can repeatedly call internal functions to mint tokens without real gameplay. 2)Undermines the value and scarcity of the token. 3) Honest players are diluted by maliciously minted tokens

Tools Used manual code review

Recommendations 1)Track player deposits explicitly, and return tokens from escrow, not mint new ones.

  • Use a vault or escrow system to securely manage token-based deposits and withdrawals.

  • Introduce a maximum total supply and enforce it in the mint() function.

Updates

Appeal created

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.