Rock Paper Scissors

Vulnerability Details

The contract defines a GameState.Revealed enum value is intended to represent the reveal phase of a game. However, this state is never used in the contract logic. Instead, the game remains in the Committed state throughout the reveal phase and only transitions to Finished or Cancelled afterward. This discrepancy exposes an incomplete or inconsistent state machine, which can cause misunderstandings, brittle assumptions, and potentially faulty behavior in game logic or external integrations.

The GameState The enum defines the following states:

But during actual execution:

• Games transition only through: Created → Committed → Finished/Cancelled.

• The Revealed The state is never set, even during reveal operations.

How the Issue Manifests

1. Unused Enum Value:

   • GameState.Revealed is defined but never used.

   • Indicates an intended phase (reveal) was meant to be tracked explicitly, but isn’t.

2. Incorrect Game Phase Representation:

   • Games remain in Committed even after players reveal their moves.

   • This makes the game state misrepresent the true lifecycle

Impact

• Misleading State Tracking: Developers and integrators may falsely assume the game is still in the commit phase, even when players are already revealing moves.

• Off-By-One Logic Errors: Conditionals checking for GameState.Revealed will silently fail since no game ever enters that state.

• Code Maintainability Risk: The mismatch between declared states and used states creates dead code

Tools Used

• Manual Review

Recommended Mitigation Steps

To address both the root cause and the symptoms:

1. Complete the State Machine:

   • Explicitly set GameState.Revealed After all players have revealed their moves.

   • This clarifies the game lifecycle and makes it more auditable and predictable.

2. Refactor Related Logic:

   • Ensure that any downstream functions, frontends, or internal checks refer to the proper state transitions.

   • Adjust or add checks to account for the new Revealed state if you adopt it.

3. OR Remove Unused State:

   • If reveal-phase tracking is not needed, remove the Revealed enum value to prevent confusion and reduce technical debt.

4. Document Lifecycle Clearly:

   • Provide high-level comments or diagrams to show intended transitions:
     Created → Committed → Revealed → Finished/Cancelled (if using Revealed)
     or
     Created → Committed → Finished/Cancelled (if removing it).

Why It’s More Than Just Informational:

• Incomplete state tracking introduces subtle risks:

  • Future logic may rely on GameState.Revealed and break silently.

  • External systems (e.g. frontends, off-chain games, or bots) may make incorrect assumptions based on stale state.

  • Misleading lifecycle flow increases the chance of human error during upgrades or debugging.

By aligning the declared states with the actual flow of the contract, you reduce the risk of hidden logic bugs and improve the maintainability and correctness of the system.