Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Contract mints a token every time a token based game is finished

epintos

Summary

When a token based game finishes, more tokens are minted

Vulnerability Details

In _finishGame, _handleTie and _cancelGame winningToken.mint is being called. For token based games, the users already transferred the WinningToken to the RockPaperScissors contract so instead of minting a new token it can do the following winningToken.transfer(to, amount).

The only time it is okay to mint a token is when a ETH based game finishes since the contract might not have the balance to reward the winner.

Impact

This is not a security vulnerability but it is making the token more inflationary than it should. Since there isn't a max supply or burn mechanism, it is better to min the tokens only when it is necessary, which is the moment an ETH game finishes.

Tools Used

Manual review

Recommendations

replace .mint, with transfer whenever a token is transferred to a token based player.

Example:

if (game.bet == 0) {
// Transfer winning token
winningToken.transfer(_winner, 2);
} else {
// Mint a winning token for ETH games
winningToken.mint(_winner, 1);
}
Updates

Appeal created

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Minting Instead of Transferring Staked Tokens

Mints new tokens upon game completion or cancellation for token-based games

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.