Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missleading/wrong require statement

staykovd

Summary

RockPaperScissors::joinGameWithToken has require() with the following problems:

  1. Checks for an invalid condition (game.bet == 0), and

  2. Provides a misleading error message that contradicts the business logic of the function.

Vulnerability Details

require(game.bet == 0, "This game requires ETH bet");

Issue 1: Logic is Flawed

game.bet should NOT be equal to 0

The function joinGameWithToken is intended to be used for token-based games, not ETH-based games. If game.bet == 0, that actually is the correct condition for token games — no ETH is required.

However, the current require() enforces that game.bet == 0, while suggesting that the game requires ETH. This contradicts the behavior and business intent.

Issue 2: Error message is missleading

The func is supposed to work with tokens, not ETH

The revert message "This game requires ETH bet" implies that this function is meant for ETH games, which is incorrect — this function handles token-based joins, and should logically reject ETH-bet games.

Impact High

  • Misuse of the function

  • Broken front-end integration

  • Auditors or developers misinterpreting intended behavior

  • Difficulty in debugging failed transactions

Tools Used

Manual review

Recommendations

require(game.bet != 0, "This game requires ETH bet");

OR

require(game.bet != 0, "This game requires TOKEN bet");
Updates

Appeal created

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Game Staking Inconsistency

joinGameWithEth function lacks a check to verify the game was created with ETH

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.