Summary

The RockPaperScissors smart contract relies on block.timestamp to enforce deadlines for actions like revealing moves and claiming timeouts. However, this value can be manipulated within a certain range by miners, making the contract vulnerable to block timestamp manipulation attacks, especially in low-activity or low-gas environments.

Vulnerability Details

The contract uses block.timestamp to track and validate time-based logic such as deadline, timeout, and reveal periods. While block.timestamp generally reflects the current time, miners can influence it within a margin of up to 15 seconds or more under certain conditions. This small but significant leeway allows a miner (or an attacker colluding with one) to slightly delay or fast-forward the execution of game logic. For instance, a malicious player may try to postpone their reveal timeout to avoid losing a game or manipulate deadline checks in their favor. Although this manipulation window is limited, in games with short timeouts, it can be exploited to gain unfair advantages, undermine fairness, or create race conditions.

Impact

Exploiting block timestamp manipulation can result in:

• Unfair game outcomes by altering timeout or deadline behavior

• Stalling game finalization or refunds

Tools Used

• Manual code review: Identified block.timestamp usage in sensitive time checks

• Slither: Highlighted timestamp-dependent logic and possible manipulation surface

Recommendations

• Avoid tight time windows (e.g., <1 minute) for timeouts or deadlines to reduce the risk window.

• Use block numbers instead of timestamps for timeout logic when possible. Block numbers are less manipulable:

  uint256 timeoutBlock = block.number + 20; // e.g., approx. 5 mins on Ethereum