Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Commitment Scheme Enables Move Revelation and Cheating

nonanondores

Summary

Players submit their moves in plaintext, allowing the second player to see the first player's move before submitting theirs. This enables front-running and undermines fairness.

Vulnerability Details

The playMove function accepts the player’s move in an unencrypted form, directly written to contract storage:

function playMove(uint256 gameId, Move move) external {
Game storage game = games[gameId];
require(game.status == GameStatus.WaitingForMoves, "Game not accepting moves");
if (msg.sender == game.player1) {
game.move1 = move;
} else if (msg.sender == game.player2) {
game.move2 = move;
}
}

This design makes it trivial for the second player to monitor pending transactions or read storage and submit a counter-move that always wins.

Impact

  • Complete undermining of game fairness.

  • Enables both manual cheating and automated MEV exploitation.

Tools Used

Manual Review

Recommendations

Replace plaintext submission with a commit-reveal scheme:

function commitMove(uint256 gameId, bytes32 commitment) external {
// Save keccak256(move, nonce)
}
function revealMove(uint256 gameId, Move move, string memory nonce) external {
// Validate that keccak256(move, nonce) matches stored commitment
}
Updates

Appeal created

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.