Summary

The RockPaperScissors contract attempts to mint RPSW tokens via winningToken.mint(), but the WinningToken contract’s owner is set to the admin (deployer), not the RockPaperScissors contract itself. Since the mint function is restricted to the token owner (admin), all calls to mint tokens from RockPaperScissors will revert, making token rewards non-functional.

Vulnerability Details

The WinningToken's mint function is restricted to its owner, which is set to the deployer of the RockPaperScissors contract (not the contract itself).

• WinningToken ownership is assigned to the admin (deployer):

constructor() ... Ownable(msg.sender) // msg.sender = RockPaperScissors deployer (admin)

• RockPaperScissors calls mint without ownership rights:

winningToken.mint(_winner, 2); // Fails due to onlyOwner restriction

Impact

• Token rewards cannot be distributed to winners.

• Players who win ETH games also fail to receive their RPSW token rewards.

Tools Used

Manual code Review

Recommendations

• Transfer ownership of the WinningToken to the RockPaperScissors contract upon deployment. Modify the WinningToken constructor:

constructor(address _gameContract) ... Ownable(_gameContract)

• Deploy WinningToken with RockPaperScissors as its owner to allow minting.