Incorrect Token Handling Leading
Summary
When players join a game, they transfer 1 RPSW token to the contract. However, when the game is canceled (e.g., via _cancelGame or a timeout) or ends in a tie, the contract mints new tokens to players instead of returning their original tokens. This causes two issues:
Token Supply Inflation: New tokens are minted even though the original tokens are still locked in the contract.
Loss of User Funds: The original tokens remain trapped in the contract forever, as the code does not transfer them back. Players lose their deposited tokens permanently.
Vulnerability Details
In
createGameWithToken, players transfer tokens to the contract:
winningToken.transferFrom(msg.sender, address(this), 1);
In
_cancelGame, tokens are minted instead of returned:
winningToken.mint(game.playerA, 1); // Mints new tokens
Impact
Uncontrolled token inflation.
Players lose their deposited tokens permanently
Tools Used
Manual code review
Recommendations
Replace minting with transferring the original locked tokens back to players in
_cancelGameand_handleTie. Usetransferinstead ofmint.Ensure the contract holds tokens temporarily and returns them on cancellation.
Appeal created
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.