Summary

The RockPaperScissors smart contract is vulnerable to front-running due to the improper implementation of the commit-reveal pattern. Specifically, the second player can wait for the first player to reveal their move before committing their own, gaining an unfair advantage.

Vulnerability Details

The revealMove() function allows a player to reveal their move after both have committed. However, without enforcing a strict commit deadline, Player 2 can delay their commitment until after Player 1 reveals their move. Since commitment and reveal transactions are public on-chain, this leads to strategic front-running.

Vulnerable Code:

Impact

• Enables a malicious player to always win by selecting a counter move after seeing the opponent’s move.

• Undermines fairness of the game.

Tools Used

• Manual Code Review

Recommendations

• Introduce strict commit and reveal deadlines.

• Add forfeiture rules for players who fail to commit or reveal on time.

• Example : require(block.timestamp <= game.commitDeadline, "Commit deadline passed");