Rock Paper Scissors

First Flight #38

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Inconsistent Event Data in `createGameWithToken` Function

0xblackadam

Summary

The createGameWithToken function in the RockPaperScissors contract emits the GameCreated event with misleading data. While the function transfers 1 WinningToken from the creator to the contract, the event incorrectly reports a bet value of 0, failing to represent the token-based value being wagered.

Vulnerability Details

In the createGameWithToken function, a WinningToken is transferred from the user to the contract:

function createGameWithToken(uint256 _totalTurns, uint256 _timeoutInterval) external returns (uint256) {

require(winningToken.balanceOf(msg.sender) >= 1, "Must have winning token");

require(_totalTurns > 0, "Must have at least one turn");

require(_totalTurns % 2 == 1, "Total turns must be odd");

require(_timeoutInterval >= 5 minutes, "Timeout must be at least 5 minutes");

// Transfer token to contract

winningToken.transferFrom(msg.sender, address(this), 1);

uint256 gameId = gameCounter++;

Game storage game = games[gameId];

game.playerA = msg.sender;

game.bet = 0; // Zero ether bet because using token

game.timeoutInterval = _timeoutInterval;

game.creationTime = block.timestamp;

game.joinDeadline = block.timestamp + joinTimeout;

game.totalTurns = _totalTurns;

game.currentTurn = 1;

game.state = GameState.Created;

emit GameCreated(gameId, msg.sender, 0, _totalTurns); // <-- This event reports a bet of 0

return gameId;

}

However, the GameCreated event emitted at the end of the function reports a bet amount of 0, which is technically correct for the ETH value but fails to capture the token transfer that represents the actual wager in this transaction.

Impact

Data Integrity: Off-chain monitoring systems relying on event data will have incomplete or misleading information about the game's value.
Auditing Difficulties: The event logs don't provide a complete picture of what happened in the transaction, making it harder to audit or track game activity.
User Interface Issues: Frontends displaying event data will show these games as having "zero value" when they actually involve token stakes.

Tools Used

Manual code review

Recommendations

Modify the event to include token information

Create a more comprehensive event that can represent both ETH and token bets:

// Add a new event definition

event GameCreatedWithToken(uint256 indexed gameId, address indexed creator, uint256 ethBet, uint256 tokenAmount, uint256 totalTurns);

// In the createGameWithToken function:

emit GameCreatedWithToken(gameId, msg.sender, 0, 1, _totalTurns);

Updates

Appeal created

m3dython Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

Rewards breakdown

nSLOC

349

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.