Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Malicious Owner Can Update Grace Period to their Favour

obeddev

Root + Impact

Description

The owner can update the gracePeriod at any time using updateGracePeriod.
The owner is allowed to change the grace period even while the game is still running, which can unfairly alter the game's flow or outcome.

function updateGracePeriod(uint256 _newGracePeriod) external onlyOwner {

// @> no check for gameEnded

require(_newGracePeriod > 0, "Game: New grace period must be greater than zero.");

gracePeriod = _newGracePeriod;

emit GracePeriodUpdated(_newGracePeriod);

}

Risk

Likelihood:

This will occur any time the owner wants to favor themselves or another player while the game is still active.
It can be triggered manually, making it a targeted attack vector.

Impact:

Owner can shorten grace period and quickly declare a winner.
Undermines fairness and trust in the game's integrity.

Proof of Concept

The test shows how the contract owner can cheat:

A player claims the throne.
Time passes, and the game should end.
But the owner changes the grace period to a longer time.
The owner claims the throne after the original grace period ended.
Then declares themselves the winner.

This proves the owner can manipulate the game timing in their favor.

function test__OwnerCanManipulateGame() public {

// Player1 claims throne

vm.prank(player1);

game.claimThrone{value: 1 ether}();

// Time passes beyond original grace period

vm.warp(GRACE_PERIOD + 1 hours);

// Owner manipulates game

vm.startPrank(deployer);

game.updateGracePeriod(GRACE_PERIOD + 3 hours); // Maliciously extends grace period

game.claimThrone{value: 3 ether}(); // Claims throne after original grace period

vm.warp(block.timestamp + GRACE_PERIOD + 1 hours);

game.declareWinner(); // Declares self as winner

vm.stopPrank();

// Assert owner became king by manipulating grace period

assertEq(game.getCurrentKing(), deployer);

}

Recommended Mitigation

To prevent abuse, only allow the owner to change the grace period after the game ends.

function updateGracePeriod(uint256 _newGracePeriod) external onlyOwner {

+ require(gameEnded, "Game: Can only update grace period after game ends.");

require(_newGracePeriod > 0, "Game: New grace period must be greater than zero.");

gracePeriod = _newGracePeriod;

emit GracePeriodUpdated(_newGracePeriod);

}

Updates

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.