Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Lack of Minimum Grace Period Can Result in Unfair Advantage for the Current King

mustby

Lack of Minimum Grace Period Can Result in Unfair Advantage for the Current King

Description: The gracePeriod should be set to a reasonable duration to allow players to fairly participate in the game. The deployer can currently update gracePeriod to a very short window (1 second), which would not allow fair and proper game participation. This could potentially cause confusion and disruption of the protocol. A malicious deployer could use this to manipulate the outcome of a game, allowing the current king to gain an advantage (if changed mid-game).

Impact: Medium

While no funds are directly at risk, many players could be put at a disadvantage, especially if the new grace period is set to a very short duration.

Likelihood: Medium

There are no minimum duration checks on the gracePeriod parameter. Thus, it could be set to any number by the deployer.

Proof of Concept:

Create a game with a one-day grace period.
VM.warp 1 second.
Deployer updates gracePeriod to 1 second.
The game is now over.

Proof of Code: Paste the below code into Game.t.sol.

function test_NoMinGracePeriod() public {

// Current game time remaining

uint256 timeRemaining = game.getRemainingTime();

console2.log("Time remaining in the game:", timeRemaining);

// Current grade period

console2.log("Current grace period:", game.gracePeriod());

// Let one hour of gametime pass

console2.log("Advancing time by 1 second...");

vm.warp(block.timestamp + 1 seconds);

// Deployer updates the grace period mid game

vm.startPrank(deployer);

uint256 newGracePeriod = 1 seconds; // Update to 1 second

console2.log("Updating grace period to:", newGracePeriod);

game.updateGracePeriod(newGracePeriod);

vm.stopPrank();

// Verify the game time remaining after updating grace period - no time left

uint256 timeRemaining2 = game.getRemainingTime();

console2.log("Time remaining in the game:", timeRemaining2);

// Verify the new grace period

assertEq(game.gracePeriod(), newGracePeriod, "Grace period should be updated to 2 days");

}

Here is the output after running:

"forge test --mt test_NoMinGracePeriod -vv"

Logs:

Time remaining in the game: 86400

Current grace period: 86400

Advancing time by 1 second...

Updating grace period to: 1

Time remaining in the game: 0

Recommended Mitigation: I would recommend creating a minimum grace period of one hour to allow the game to function properly. The game::updateGracePeriod function will be updated plus we must initialize the new minGracePeriod at the top.

Here is how to make the change:

+ uint256 public constant MIN_GRACE_PERIOD = 1 hours;

And:

function updateGracePeriod(uint256 _newGracePeriod) external onlyOwner {

- require(_newGracePeriod > 0, "Game: New grace period must be greater than zero.");

+ require(_newGracePeriod > MIN_GRACE_PERIOD, "Game: New grace period must be greater than the minimum.");

gracePeriod = _newGracePeriod;

emit GracePeriodUpdated(_newGracePeriod);

}

Updates

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.