Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Function Documentation Falsely Claims Previous King Compensation

farrellhauzan

Description

The claimThrone function documentation explicitly states "If there's a previous king, a small portion of the new claim fee is sent to them," but the actual implementation never sends any compensation to previous kings. This creates a fundamental mismatch between documented behavior and actual contract functionality.

/**
* @dev Allows a player to claim the throne by sending the required claim fee.
* If there's a previous king, a small portion of the new claim fee is sent to them. // @> FALSE PROMISE
* A portion also goes to the platform owner, and the rest adds to the pot.
*/
function claimThrone() external payable gameNotEnded nonReentrant {
uint256 previousKingPayout = 0; // @> Always 0, no compensation sent!
// @> No code exists anywhere to pay previous king
amountToPot = sentAmount - currentPlatformFee; // Previous king gets NOTHING
}

Risk

Likelihood:

  • Every user who reads the documentation will be misled about compensation mechanics

  • Documentation is referenced during user onboarding and decision-making

Impact:

  • Users are actively misled about core game economics

  • Previous kings expect compensation that never materializes

  • Creates incorrect economic incentives and player expectations

  • May constitute false advertising of game features

  • Results in user dissatisfaction and loss of trust

Proof of Concept

// Documentation promises previous king compensation
// Implementation shows previousKingPayout = 0 always
// Money flow: Platform fee + Pot, NO payment to previous king
// Contradiction: Documentation vs reality creates user confusion

Recommended Mitigation

Option 1: Fix documentation to match implementation:

/**
* @dev Allows a player to claim the throne by sending the required claim fee.
* No compensation is sent to the previous king.
* A portion goes to the platform owner, and the rest adds to the pot.
*/

Option 2: Implement the documented previous king compensation (with DoS protection):

function claimThrone() external payable gameNotEnded nonReentrant {
// ... existing validation ...
uint256 sentAmount = msg.value;
uint256 previousKingPayout = 0;
// If there's a previous king, pay them 5% of the claim fee
if (currentKing != address(0) && currentKing != msg.sender) {
previousKingPayout = (sentAmount * 5) / 100; // 5% to previous king
// Don't revert if payment fails to prevent DoS attacks
// where malicious contract king always reverts to block new claims
payable(currentKing).call{value: previousKingPayout}("");
// Alternative: Use pull payment pattern for safer implementation
// pendingPayouts[currentKing] += previousKingPayout;
}
uint256 currentPlatformFee = (sentAmount * platformFeePercentage) / 100;
uint256 amountToPot = sentAmount - currentPlatformFee - previousKingPayout;
// ... rest of function ...
}
Updates

Appeal created

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing Previous King Payout Functionality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.