Rock Paper Scissors

Summary

The RockPaperScissors smart contract is vulnerable to reentrancy attacks due to unsafe external calls made before critical state updates. This allows a malicious player to repeatedly re-enter functions like _cancelGame, _finishGame, or _handleTie and manipulate the contract state or drain funds.

Vulnerability Details

The smart contract is vulnerable to a reentrancy attack because it makes external calls (such as transferring ETH or tokens) before updating critical state variables like game deletion or winner tracking. For instance, in functions like _cancelGame, _finishGame, and _handleTie, funds are sent using .call{value:} or token transfers, while the game state is only modified afterward. This ordering allows a malicious contract to re-enter the vulnerable function before the state change occurs, potentially triggering multiple refunds, manipulating outcomes, or draining the contract's balance. This violates the checks-effects-interactions principle and exposes the contract to severe financial and logical risks.

Impact

A successful reentrancy attack can result in:

• Double refunds or unauthorized fund withdrawals

• Game state corruption

• Total loss of contract funds

Tools Used

• Slither : Static analysis flagged multiple reentrancy warnings

• Manual code review: Verified unsafe patterns and high-risk logic in relevant functions

Recommendations

To prevent reentrancy attacks, the contract should strictly follow the checks-effects-interactions pattern by updating internal state variables before making any external calls. Additionally, it's highly recommended to inherit from OpenZeppelin’s ReentrancyGuard and apply the nonReentrant modifier to all sensitive functions that perform external transfers. For ETH transfers, using Address.sendValue instead of .call{value:} is safer. Moreover, implementing a withdrawal pattern (pull over push payments) ensures that users explicitly claim their funds, reducing the risk of automatic reentrancy. These changes will significantly improve the contract's resistance to malicious reentry behavior.