Rock Paper Scissors

First Flight #38

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Inflation Sink on Cancel/Finish in `RockPaperScissors.sol`

kweks

Vulnerability Details

Bug Description

The contract improperly handles token refunds when a game is cancelled or finished. Instead of returning the originally staked tokens it holds, it mints new tokens to players.

This leads to two critical issues:

Staked tokens remain permanently locked in the contract.
The total supply of tokens increases with every game, even when there is no net winner.

This issue is not only a flaw in business logic but also creates a hidden inflation loop that can damage the token economy and user trust over time.

Impact

Unbounded Inflation: Every game adds new tokens to circulation. Over time, this leads to significant supply inflation.
Token Devaluation: With more tokens minted than necessary, the value of each token decreases, disincentivizing holders and undermining token economics.
Contract Token Sink: The contract builds up a stockpile of unused tokens that are effectively burned, but without reducing the total supply. These tokens become permanently inaccessible.
Inaccurate Token Metrics: On-chain token supply and distribution metrics become misleading, affecting integrations, analytics, and investor perception.

Tools Used

Manual Review of RockPaperScissors.sol
Logical trace of _cancelGame() and _handleFinish() execution paths
Understanding of ERC-20 behavior and minting implications

Recommended Mitigation Steps

Stop Minting Tokens for Refunds
- Eliminate the use of winningToken.mint(...) in _cancelGame() and _handleFinish().
Use Stored/Staked Tokens for Payouts
- When players stake tokens at game start, store them safely in the contract.
- Upon game completion (win, tie, or cancel), transfer these same tokens back to the appropriate players:
  
  winningToken.transfer(playerA, 1);
  winningToken.transfer(playerB, 1);
Add a Recovery Fallback (Optional)
- Consider implementing an emergency admin function to recover and redistribute any locked tokens, if needed, for legacy games.
Audit for Supply Alignment
- Ensure that token balances and total supply remain in sync throughout the game lifecycle. Supply should only increase through legitimate means (e.g., rewards, governance-mandated minting).

Updates

Appeal created

m3dython Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

Minting Instead of Transferring Staked Tokens

Mints new tokens upon game completion or cancellation for token-based games

Rewards breakdown

nSLOC

349

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.