Incorrect use of mint function during refunds in game cancellation and tie scenarios causing loss of staked totekns
Summary
The protocol incorrectly handles token refunds in game cancellation and tie scenarios by minting new tokens instead of returning staked tokens. This results in permanent loss of originally staked tokens and unintended token supply inflation.
Vulnerability Details
Affected Functions:
_cancelGame()- Token refund logic_handleTie()- Tie resolution logic
Root Cause:
When cancelling games or handling ties, the contract attempts to "refund" tokens by minting new ones to players:
The staked tokens remain permanently locked in the contract while new tokens are created, leading to:
Loss of original player tokens
Uncontrolled supply growth
Code Proof:
Impact
High Severity:
Direct Financial Loss: Players never recover originally staked tokens
Contract Lockup: Staked tokens become permanently inaccessible
Systemic Risk: Over time, this could collapse token economics
Tools Used
Manual review Identified mismatch between staking/minting logic.
Recommendations
Immediate Fix:
Replace mints with transfers for refunds:
Long-Term Recommendations:
Implement a token custody ledger to track player deposits
Add circuit breakers for abnormal cancellation rates
Use separate contracts for token custody vs game logic
This fix preserves token supply integrity while ensuring players recover their original assets, maintaining the protocol's economic stability.
Appeal created
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.