Summary

The RockPaperScissors contract is missing an event emission for a critical operation in the _handleTie() function, specifically when minting WinningTokens to players in a tie scenario. This reduces the transparency and observability of important state changes within the protocol.

Vulnerability Details

In the _handleTie() function, WinningTokens are minted to both players when a game ends in a tie:

However, unlike other similar critical operations in the contract, there is no specific event emitted to track these token mint operations. This creates an inconsistency in logging behavior across similar operations in the contract.

For comparison, the FeeCollected event is properly emitted when fees are accumulated:

Impact

The missing event emission reduces:

1. Transparency: External observers cannot easily track token minting operations specifically related to tie resolution

2. Auditability: Makes it more difficult to verify that tokens were correctly minted during tie scenarios

3. User experience: Dapps relying on events to track game outcomes have incomplete information about tie-related token distributions

The impact is medium severity as funds are not directly at risk, but it creates an information asymmetry and inconsistency in the system's observability.

Tools Used

Manual code review

Recommendations

1. Create a dedicated event for tracking token minting in tie scenarios:

2. Emit the event when minting tokens in the _handleTie() function:

3. For consistency, also add similar event emissions for other token minting operations throughout the contract, such as in _finishGame() and _cancelGame() functions.

This enhancement maintains consistent observability across the contract and improves the protocol's transparency for users, auditors, and integrating applications.