Denial of Service can occur when block.timestamp + joinTimeout
overflows, preventing players from creating games.
The function RockPaperScissors::setJoinTimeout(uint256 _newTimeout)
has a minimum timeout duration, but not a maximum timeout duration.
Therefore, an admin could set the joinTimeout
to a value large enough to overflow when added with block.timestamp
This addition occurs in both RockPaperScissors::createGameWithEth(uint256 _totalTurns, uint256 _timeoutInterval)
and RockPaperScissors::createGameWithToken(uint256 _totalTurns, uint256 _timeoutInterval)
Potential players will be unable to create a game no matter if RPSW or ETH is used, and therefore, the contract will be unable to collect fees.
Manual Review.
It is recommended to require a maximum timeout like this:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.