Summary

The smart contract contains a business logic vulnerability in the reward system that inconsistently incentivizes players. Specifically, it rewards players who participate in free games with more tokens than those who play with real ETH, which can lead to strategic abuse and undermines the economic integrity of the platform.

Vulnerability Details

the function is:

function _finishGame(uint256 _gameId, address _winner) internal

In the game settlement logic, the following code mints reward tokens to the winner based on whether the game was played with a bet (ETH) or not:

This logic unintentionally rewards players who participate in free games with more tokens (2) than those who participate in ETH-based games (1). This creates a perverse incentive, where users may prefer free games simply to farm more tokens, rather than engaging in more valuable ETH-based matches.

Impact

Economic imbalance: ETH players get fewer rewards despite taking higher financial risk.

Token farming: Users may exploit the logic to repeatedly play free games and accumulate tokens unfairly.

Player dissatisfaction: ETH players may feel discouraged, leading to reduced platform engagement and trust.

Token devaluation: Excessive minting in free games may inflate the token supply and reduce its perceived value.

Tools Used

Manual review

Recommendations

Reverse the logic to ensure ETH players are rewarded equal to or more than free players