Submission Details
Severity:
Reentrancy: State change after external call
Summary
Changing state after an external call can lead to re-entrancy attacks.Use the checks-effects-interactions pattern to avoid this issue.
Vulnerability Details
- Found in src/RockPaperScissors.sol [Line: 125]()
State is changed at: `uint256 gameId = gameCounter++`, `game.playerA = msg.sender`, `game.bet = 0`, `game.timeoutInterval = _timeoutInterval`, `game.creationTime = block.timestamp`, `game.joinDeadline = block.timestamp + joinTimeout`, `game.totalTurns = _totalTurns`, `game.currentTurn = 1`, `game.state = GameState.Created`
```solidity
require(winningToken.balanceOf(msg.sender) >= 1, "Must have winning token");
```
Impact
If exploited, an attacker could:
Reenter createGameWithToken() during the balanceOf() check before gameCounter is incremented.
Cause double game creation with the same gameId, leading to game state corruption or logic bypasses.
Manipulate internal game state inconsistently, especially when combined with token transfer or reveal logic.
Tools Used
Aderyn Static Analysis tool
Recommendations
Rewards breakdown
nSLOC
349This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.