Summary

The Rock Paper Scissors game smart contract contains a vulnerability that allows users to perform a Sybil attack by exploiting the token reward mechanism. When a user wins a game with ETH stakes, they receive both the ETH prize and a WinningToken. If the value of this WinningToken exceeds the minimum required ETH bet (minBet), players can create games and join them with different addresses to farm tokens at a profit, leading to an unfair economic advantage and potential token value dilution.

Vulnerability Details

The vulnerability stems from the following issues:

1. In the _finishGame function, lines 609-611, a winning token is minted to the winner of an ETH-based game:

1. The minBet value is defined as a constant at 0.01 ETH (line 76):

1. There's no mechanism to adjust the minBet value after deployment to align with the market value of the WinningToken.

This creates an economic vulnerability: if the value of 1 WinningToken exceeds 0.02 ETH (accounting for the 10% protocol fee), users can:

1. Create a game with address A using the minimum bet of 0.01 ETH

2. Join the same game with address B, also paying 0.01 ETH

3. Ensure one of their addresses wins the game

4. Receive back the ETH prize (minus protocol fee) plus 1 WinningToken

5. Repeat this process to accumulate tokens at a profit

The attack becomes economically viable when:
Value of 1 WinningToken > (2 * minBet * (1 - PROTOCOL_FEE_PERCENT/100))

Impact

This vulnerability has several significant impacts:

1. Token Inflation: Malicious users can mint an excessive number of WinningTokens, potentially devaluing the token.

2. Economic Imbalance: The attack allows for risk-free acquisition of valuable tokens with minimal ETH investment, creating an unfair advantage.

3. Protocol Fee Manipulation: While the protocol still collects fees from these self-played games, these fees don't represent genuine game activity.

4. Game Ecosystem Degradation: An influx of fake games could make it difficult for legitimate players to find real opponents.

5. Reputation Damage: A visible exploit could damage the platform's reputation and user trust.

The severity is high if the token has or gains significant value, as it would create a direct economic incentive for exploitation.

Tools Used

• Manual code review

• Economic incentive analysis

• Game theory analysis

Recommendations

1. Dynamic Minimum Bet:
   Replace the constant minBet with a variable that can be adjusted by the admin:

   uint256 public minBet = 0.01 ether;

   ​

   function setMinBet(uint256 _newMinBet) external {

   require(msg.sender == adminAddress, "Only admin can update minimum bet");

   require(_newMinBet > 0, "Minimum bet must be greater than zero");

   minBet = _newMinBet;

   }