Submission Details
Severity:
Critical Logic Error in claimThrone() Function Breaks Game Mechanics
Description
-
A critical logic error has been identified in the claimThrone() function of the Game contract at line 188.
-
The current condition check is written as:
require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");
// This incorrect - it should be:
require(msg.sender != currentKing, "Game: You are already the king. No need to re-claim.");
Risk
Likelihood:
no one will be able to play except the first player
Impact:
-
Game Lock: After the first player, no one can claim the throne
-
Fund Loss: Players cannot participate and retrieve their ETH
Proof of Concept
function test_VulnerabilityLogicError_BlocksAllOtherPlayers() public {
// Player1 successfully claims throne (first time currentKing = address(0))
vm.prank(player1);
game.claimThrone{value: INITIAL_CLAIM_FEE}();
// Verify player1 became king
assertEq(game.currentKing(), player1);
console2.log("Player1 is now the king:", game.currentKing());
// Get new claim fee
uint256 newClaimFee = game.claimFee();
console2.log("New claim fee:", newClaimFee);
// Player2 tries to claim throne with sufficient ETH
vm.prank(player2);
vm.expectRevert("Game: You are already the king. No need to re-claim.");
game.claimThrone{value: newClaimFee}();
// Player3 also cannot claim throne
vm.prank(player3);
vm.expectRevert("Game: You are already the king. No need to re-claim.");
game.claimThrone{value: newClaimFee}();
// Even owner cannot claim throne
vm.prank(deployer);
vm.expectRevert("Game: You are already the king. No need to re-claim.");
game.claimThrone{value: newClaimFee}();
}
Recommended Mitigation
function claimThrone() external payable gameNotEnded nonReentrant {
- require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");
+ require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");
}
Updates
Appeal created
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
Game::claimThrone `msg.sender == currentKing` check is busted
lochaeth
about 1 month ago
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
Game::claimThrone `msg.sender == currentKing` check is busted
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.