Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Prize Amount in `GameEnded` Event Misleads External Systems

farrellhauzan

Description

The GameEnded event should emit the actual prize amount that the winner receives to provide accurate data for off-chain applications and monitoring systems.
The declareWinner function emits the event with prizeAmount set to pot after the pot has already been reset to 0, showing incorrect prize data.

function declareWinner() external gameNotEnded {

gameEnded = true;

pendingWinnings[currentKing] = pendingWinnings[currentKing] + pot; // Winner gets the pot

pot = 0; // @> Reset pot to 0 HERE

// @> Event emits pot which is now 0, not the actual prize amount

emit GameEnded(currentKing, pot, block.timestamp, gameRound);

}

Risk

Likelihood:

Every call to declareWinner() will emit incorrect prize data
External systems monitoring events will receive wrong information

Impact:

Off-chain applications and indexers receive incorrect prize data
Frontend applications display wrong winning amounts to users
Analytics and monitoring systems have inaccurate game statistics
User confusion when checking transaction logs

Proof of Concept

Looking at the declareWinner function:

function declareWinner() external gameNotEnded {

// ... validation checks ...

gameEnded = true;

pendingWinnings[currentKing] = pendingWinnings[currentKing] + pot; // Winner gets the pot

pot = 0; // Reset pot to 0 HERE

emit GameEnded(currentKing, pot, block.timestamp, gameRound); // pot is now 0!

}

Scenario:

Current pot is 5 ETH from multiple claims
Grace period expires, someone calls declareWinner()
Winner receives 5 ETH in pendingWinnings
pot is reset to 0
Event emits GameEnded(winner, 0, ...) instead of GameEnded(winner, 5, ...)

Recommended Mitigation

Store the prize amount before resetting the pot:

function declareWinner() external gameNotEnded {

require(currentKing != address(0), "Game: No one has claimed the throne yet.");

require(

block.timestamp > lastClaimTime + gracePeriod,

"Game: Grace period has not expired yet."

);

gameEnded = true;

+ uint256 prizeAmount = pot; // Store prize amount before reset

pendingWinnings[currentKing] = pendingWinnings[currentKing] + pot;

pot = 0;

+ emit GameEnded(currentKing, prizeAmount, block.timestamp, gameRound); // Correct amount

}

Updates

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Game::declareWinner emits GameEnded event with pot = 0 always

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.