Submission Details
Severity:
Token Minting on Tie/Cancellation Leads to Inflation
Summary
The game contract incorrectly mints new winningToken instances to players when token-based games conclude with a tie (_handleTie) or are cancelled (_cancelGame). Instead of transferring back the tokens that players likely staked to enter the game, this logic increases the total supply of the winningToken, resulting in potential inflation.
Vulnerability Details
function _handleTie(uint256 _gameId) internal {
//...
// Return tokens for token games
if (game.bet == 0) {
@> winningToken.mint(game.playerA, 1);
@> winningToken.mint(game.playerB, 1);
}
// Since in a tie scenario, the total prize is split equally
emit GameFinished(_gameId, address(0), 0);
}
function _cancelGame(uint256 _gameId) internal {
//...
// Return tokens for token games
if (game.bet == 0) {
if (game.playerA != address(0)) {
@> winningToken.mint(game.playerA, 1);
}
if (game.playerB != address(0)) {
@> winningToken.mint(game.playerB, 1);
}
}
emit GameCancelled(_gameId);
}
Impact
This issue leads to uncontrolled inflation of the winningToken supply.
Tools Used
Recommendations
Using transfer instead of mint.
Updates
Appeal created
m3dython 10 months ago
Submission Judgement Published Assigned finding tags:
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.