Contract mints a token every time a token based game is finished
Summary
When a token based game finishes, more tokens are minted
Vulnerability Details
In _finishGame, _handleTie and _cancelGame winningToken.mint is being called. For token based games, the users already transferred the WinningToken to the RockPaperScissors contract so instead of minting a new token it can do the following winningToken.transfer(to, amount).
The only time it is okay to mint a token is when a ETH based game finishes since the contract might not have the balance to reward the winner.
Impact
This is not a security vulnerability but it is making the token more inflationary than it should. Since there isn't a max supply or burn mechanism, it is better to min the tokens only when it is necessary, which is the moment an ETH game finishes.
Tools Used
Manual review
Recommendations
replace .mint, with transfer whenever a token is transferred to a token based player.
Example:
Appeal created
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.