Rock Paper Scissors

Summary

The commit phase of the game does not have an enforced timeout, allowing players to indefinitely delay their commitment to the game. This creates a situation where a player can stall the game without any repercussions, preventing the game from progressing to the reveal phase.

Vulnerability Details

A player successfully joins the game but never commits to a move.

Since there’s no timeout for the commit phase, the game stays stuck in the Commit state, never progressing.

The game effectively becomes unplayable, locking out the other player, who has already committed their move.

Impact

Denial of Service (DoS) – A player can block the game by failing to commit, preventing it from ever progressing to the reveal phase.

Economic Loss – If betting is involved, the stalling player can delay payouts or force a loss of funds due to inactivity or timeouts in other aspects of the game.

Tools Used

Manual code review

Recommendations

1. Introduce a commit phase timeout – Define a maximum duration for the commit phase. If the timeout expires without both players committing, the game should either automatically forfeit the uncommitted player or refund any bet amounts.

2. Add a commit deadline and allow one player to cancel if the other doesn’t commit in time.

3. Smart contract cleanup – Forcibly remove games that do not progress after a defined period to prevent wasted resources or locked funds.