Incorrect Token Accounting leads to token inflation and locked Tokens
Summary
In the RockPaperScissors contract, when a token-based game finishes, the contract mints new tokens for the winner instead of transferring the tokens that were collected during game creation/joining. This leads to token accumulation in the contract and effective double-spending of tokens, as the original deposited tokens remain locked in the contract forever.
Vulnerability Details
During game creation and joining with tokens:
But in the finish function:
The issue occurs because:
Players deposit tokens to the contract during game creation/joining (2 tokens total)
Upon game completion, instead of transferring these tokens, new tokens are minted
The original deposited tokens remain locked in the contract
This creates an unlimited supply of new tokens while old ones accumulate
Impact
-
Token Supply Inflation
Each completed token game increases total supply by 2 tokens
Original tokens remain locked forever
Uncontrolled token supply expansion
-
Asset Lock
Deposited tokens are permanently locked in the contract
No mechanism to recover these tokens
Value is effectively lost
-
Economic Impact
Token value may decrease due to supply inflation
Original token deposits become dead capital
Protocol accumulates worthless token reserves
Tools Used
Manual review
Recommendations
Replace minting with transfer of existing tokens:
Appeal created
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.