Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Locked-up deposited tokens & economic drain

jufel

Description: Players "stake" one token each when creating/joining a token game. Those tokens are never returned; instead, winners receive freshly minted tokens. The contract thus hoards every token deposit—and continually inflates supply by minting extra tokens to winners.

Impact: Players lose 1 RPSW token every time they play (even winners). Token supply inflation is unbounded, severely devaluing the token.

Recommended Mitigation: At game end, return the two staked tokens from the contract's balance to the winner (or split on tie), rather than minting new ones.

function _finishGame(uint256 _gameId, address _winner) internal {
if (game.bet == 0) {
- winningToken.mint(_winner, 2);
+ winningToken.transferFrom(address(this), _winner, 2);
} else {
winningToken.mint(_winner, 1);
}
}
function _handleTie(uint256 _gameId) internal {
if (game.bet == 0) {
- winningToken.mint(game.playerA, 1);
- winningToken.mint(game.playerB, 1);
+ winningToken.transferFrom(address(this), game.playerA, 1);
+ winningToken.transferFrom(address(this), game.playerB, 1);
}
}
Updates

Appeal created

m3dython Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Minting Instead of Transferring Staked Tokens

Mints new tokens upon game completion or cancellation for token-based games

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.