Submission Details
Severity:
Token Minting on Tie/Cancellation Leads to Inflation
Summary
The game contract incorrectly mints new winningToken instances to players when token-based games conclude with a tie (_handleTie) or are cancelled (_cancelGame). Instead of transferring back the tokens that players likely staked to enter the game, this logic increases the total supply of the winningToken, resulting in potential inflation.
Vulnerability Details
function _handleTie(uint256 _gameId) internal {
//...
// Return tokens for token games
if (game.bet == 0) {
@> winningToken.mint(game.playerA, 1);
@> winningToken.mint(game.playerB, 1);
}
// Since in a tie scenario, the total prize is split equally
emit GameFinished(_gameId, address(0), 0);
}
function _cancelGame(uint256 _gameId) internal {
//...
// Return tokens for token games
if (game.bet == 0) {
if (game.playerA != address(0)) {
@> winningToken.mint(game.playerA, 1);
}
if (game.playerB != address(0)) {
@> winningToken.mint(game.playerB, 1);
}
}
emit GameCancelled(_gameId);
}
Impact
This issue leads to uncontrolled inflation of the winningToken supply.
Tools Used
Recommendations
Using transfer instead of mint.
Updates
Appeal created
m3dython 4 months ago
Submission Judgement Published Assigned finding tags:
Minting Instead of Transferring Staked Tokens
Mints new tokens upon game completion or cancellation for token-based games
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.