Rock Paper Scissors

Summary

The revealMove() function relies on the game.revealDeadline being set to a non-zero value to ensure that the reveal phase has not timed out. However, if only Player A has committed their move and Player B has not, the game.revealDeadline will remain unset (i.e., 0), leading to a misleading error message when Player A tries to reveal their move.

Vulnerability Details

Currently, the condition is:

and this will always fail with the error message "Reveal phase timed out" if only one player has committed their move and tries to reveal their move, because game.revealDeadline is set to 0 by default. This is problematic because it does not reflect the actual state of the game, where the issue is that Player B has not committed yet, and thus the reveal phase has not even started.

Impact

• Misleading Error: If only Player A has committed, the error message "Reveal phase timed out" is misleading. The issue is not that the reveal phase has timed out, but rather that the reveal deadline has not been set due to Player B's absence.

• Confusion for Users: Players may be confused by the error message, as they might assume that the reveal phase has a timeout when, in fact, the game logic simply hasn't initialized the deadline due to Player B's failure to commit.

Tools Used

Manual review

Recommendations

1. Default revealDeadline Value: Ensure that game.revealDeadline is set to a default value once Player A commits, or delay the reveal phase logic until both players have committed.

2. Clearer Error Message: Modify the error message to clarify that Player B has not committed, rather than indicating the reveal phase has timed out.