Rock Paper Scissors

First Flight #38

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

WinningToken supply not capped

mihaihng

Summary

There is no capping mechanism in the WinningToken contract.

RockPaperScissors contract duplicates every token that is bet by players in a game, by storing the tokens while minting new ones for prizes or refunds.

Vulnerability Details

WinningToken supply is not under control.

Increases exponentially with the number of games played.

Resulting in inflationary tokenomics.

Impact

Value of the WinningToken decreses over time.

Players lose interest in playing for small value prizes.

Tools Used

Manual Code Review

Recommendations

Add a burning mechanism.

Use "transfer" WiningToken back to players(winners or refunded) instead of minting new tokens in the following functions:
_finishGame

_handleTie

_cancelGame

For example in _finishGame:

/**

* @dev Internal function to finish the game and distribute prizes

* @param _gameId ID of the game

* @param _winner Address of the winner

function _finishGame(uint256 _gameId, address _winner) internal {

Game storage game = games[_gameId];

game.state = GameState.Finished;

uint256 prize = 0;

// Handle ETH prizes

if (game.bet > 0) {

// Calculate total pot and fee

uint256 totalPot = game.bet * 2;

uint256 fee = (totalPot * PROTOCOL_FEE_PERCENT) / 100;

prize = totalPot - fee;

// Accumulate fees for admin to withdraw later

accumulatedFees += fee;

emit FeeCollected(_gameId, fee);

// Send prize to winner

(bool success,) = _winner.call{value: prize}("");

require(success, "Transfer failed");

}

// Handle token prizes - winner gets both tokens

if (game.bet == 0) {

// Transfer winning token to winner

winningToken.transfer(_winner, 2); // Replaced "mint" with "transfer"

} else {

// Mint a winning token for ETH games

winningToken.mint(_winner, 1); // Not to be replaced for ETH games

}

emit GameFinished(_gameId, _winner, prize);

}

Updates

Appeal created

m3dython Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

Gas Optimization

Rewards breakdown

nSLOC

349

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.