Rock Paper Scissors

Vulnerability Details

The WinningToken contract's ownership remains with the initial deployer rather than the RockPaperScissors main contract. This occurs because the token's constructor sets ownership to msg.sender during deployment (the RockPaperScissors deployer), but never transfers it to the game contract itself. As a result, calls to mint() from _finishGame() will revert since the game contract lacks ownership privileges.

Impact

• Critical: Token-based games cannot reward winners, breaking core protocol functionality

• All winner token distributions fail, rendering token-based game modes unusable

• Players would permanently lose access to token-based features without manual admin intervention

Recommendations

1. Transfer Ownership During Initialization
   Modify the RockPaperScissors constructor to claim token ownership:

1. Verify Ownership in Game Logic
   Add an ownership check during contract initialization:

Proof of Concept

The current flawed flow:

1. Deployer creates RockPaperScissors contract

2. RockPaperScissors constructor deploys WinningToken (owner = deployer)

3. Game contract attempts to mint tokens → Reverts

Fixed flow after changes:

1. Deployer creates RockPaperScissors

2. Game contract deploys token and becomes owner

3. mint() calls succeed from game logic

This fix ensures the game contract has proper authority to distribute winner tokens as intended in the protocol design.