Summary

The RockPaperScissors contract does not provide an admin function to manage or withdraw WinningToken tokens accumulated from token-based games, resulting in tokens being locked in the contract without a clear purpose. This limits administrative control and flexibility compared to the ETH fee withdrawal mechanism.

Vulnerability Details

In token-based games, players transfer WinningToken tokens to the contract via RockPaperScissors::createGameWithToken and RockPaperScissors::joinGameWithToken. These tokens are held by the contract but are not used when distributing prizes or refunds, as the contract mints new tokens instead (see RockPaperScissors::_finishGame, _handleTie, _cancelGame). Unlike ETH fees, which can be withdrawn using RockPaperScissors::withdrawFees, there is no equivalent function to manage the contract's WinningToken balance (RockPaperScissors::winningToken). This leaves tokens accumulated in the contract inaccessible, as no function exists to interact with winningToken.balanceOf(address(this)).

Impact

The lack of a token withdrawal function results in tokens being permanently locked in the contract, reducing administrative control and potentially leading to unintended token accumulation. This could confuse users or auditors about the contract's token management and limit the admin's ability to repurpose or redistribute these tokens. The issue is low severity due to its limited financial impact and the admin-only context, but it affects contract usability and maintenance.

Tools Used

Recommendations

Add an admin-only function to withdraw accumulated WinningToken tokens, mirroring the withdrawFees function for ETH. This ensures the admin can manage the contract's token balance effectively.