Description:

The current implementation of the revealMove() function publicly exposes both the player’s move and their salt on-chain. Since all transaction inputs and emitted events are publicly visible on the blockchain, this information is immediately accessible to any observer — including the opponent — once a player calls revealMove().
This breaks the fundamental design of a commit-reveal scheme, which is supposed to ensure fairness by preventing any player from knowing the other’s move before revealing their own. In the current setup, if player B reveals first, player A can inspect the blockchain, read the revealed move and salt, and use that to choose a countering move in their own revealMove() call.
Impact:

This vulnerability introduces a systematic, deterministic advantage for the player who reveals second. By inspecting the transaction of the first player's reveal, the second player can guarantee a win or at least a draw for every round. This breaks the core fairness assumption of the game and can be exploited repeatedly and reliably , severely harming user trust and game integrity.
Recommended Mitigation:

To preserve fairness in the commit-reveal pattern, the protocol should enforce simultaneous or truly independent reveals. Possible mitigations include:

• Off-chain coordination: Require both players to share their reveals off-chain and only allow progressing the game when both reveals are submitted together in a batched transaction (e.g., via revealBothMoves()).

• Zero-Knowledge Commitments: Explore advanced cryptographic techniques to validate moves without revealing them publicly (complex but ideal).

Until such protections are in place, the commit-reveal mechanism can be easily abused and does not provide the fairness it is intended to guarantee.