Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Claim Logic Implemented

ishwar

Description

Normally, any player except the current king should be able to claim the throne by paying the current claim fee. The claim logic is the fundamental gatekeeper for game progression.
Instead, the code only allows the current king to reclaim the throne. This mistake effectively locks the game, preventing new players from participating. The business logic is inverted, and the game cannot progress past the initial claim.

function claimThrone() external payable gameNotEnded nonReentrant {

require(msg.value >= claimFee, "Game: Insufficient ETH sent to claim the throne.");

@> require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim."); <@

// rest of function

}

Risk

Likelihood:

This bug is always present (every claim attempt by a non-king will fail).
No player except the current king can ever claim the throne after deployment.

Impact:

The game is rendered non-functional after the first claim.
No new rounds, no competition, and no pot growth occurs.

Proof of Concept

// Only currentKing can claim, non-kings are blocked:

require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");

Explanation:
Anyone except the current king will hit this require and revert, blocking all new claimants. This directly contradicts the business logic and makes the game unplayable beyond the first claim.

Recommended Mitigation

- require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");

+ require(msg.sender != currentKing, "Game: You are already the king. No need to re-claim.");

Mitigation Explanation:
By changing the comparison to !=, only non-kings can claim, aligning with the intended game flow and restoring functionality.

Updates

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Game::claimThrone `msg.sender == currentKing` check is busted

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.