Summary

The Rock Paper Scissors smart contract contains a discrepancy between its documentation and implementation regarding token stakes. While the documentation suggests that players can specify variable amounts of tokens to stake, the implementation forces exactly 1 Winner Token to be transferred when creating or joining a token-based game. This hardcoded value limits player flexibility and creates inconsistency between the ETH-based and token-based game implementations.

Vulnerability Details

The issue is present in both the createGameWithToken and joinGameWithToken functions:
In createGameWithToken (lines 116-139):

In joinGameWithToken (lines 164-183):

In both cases, the token amount is hardcoded to exactly 1 token, without providing any option for the player to specify a different amount as is possible with ETH-based games. This represents a rigid implementation that limits player options and creates inconsistency with the documented behavior.

Impact

The impact of this issue is minor to moderate:

• Functional Limitation: Players cannot stake multiple tokens even if they want to wager more.

• Inconsistent Design: ETH-based games allow variable bet amounts (above a minimum), while token games don't.

• Documentation Mismatch: The contract behavior doesn't match documented capabilities, potentially causing user confusion.

Tools Used

• Manual code review

Recommendations

To address this issue, implement one of the following changes:

• Allow Variable Token Stakes:
  Modify the token-based game functions to accept a parameter specifying the number of tokens to stake, similar to how ETH bets work

• Update Documentation