Rock Paper Scissors

Summary

The RockPaperScissors contract initializes the admin address directly from msg.sender in the constructor, which can lead to incorrect admin assignment when deployed through proxies, factories, or deployment scripts.

Vulnerability Details

In the constructor, the admin address is set directly to msg.sender:

This is problematic because:

• If deployed through a proxy or factory contract, msg.sender will be the address of the deploying contract, not the intended admin

• If deployed through a deployment script, msg.sender might be a temporary account

• There's no verification that the assigned address is valid or intended

Impact

This vulnerability can lead to:

1. Admin rights assigned to an unintended contract address

2. Admin functions becoming inaccessible if the admin is set to a contract that cannot execute them

3. Complete loss of admin control over the protocol

4. Inability to withdraw fees or perform other critical admin functions

Tools Used

Manual code review

Recommendations

Pass the admin address as a parameter to the constructor:

This ensures:

• The admin address is explicitly provided, not implicitly derived

• The deployer must consciously specify the intended admin

• The contract works correctly regardless of deployment method (direct, proxy, factory, etc.)

• Zero-address validation prevents accidental initialization to an invalid address