Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Critical Access Control Vulnerability in claimThrone[] Function

shakhs

Root + Impact

Description

The "claimThrone []" function contains a logical error in its access control check that completely breaks the core game mechanics. The require statement on line 188 "require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");" incorrectly allows only the current King to claim the throne again, while the intended behavior, as per the game rules, is to prevent the current King from reclaiming it.

What should happen: Any player (except the current king) should be able to claim the throne by paying the required fee.
What actually happens: Prevents other players from claiming the throne, as the condition "msg.sender == currentKing" will always be false for new claimants.

@> require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");

Risk

Likelihood:

Affects 100% of subsequent claim attempts
Makes the game completely unplayable after the first claim.

Impact:

The first king becomes permanent winner by default, effectively blocking other players from participating. This disrupts the game's fairness and intended mechanics.
No competition possible, leading to game breakdown

Proof of Concept

Deploy the Game contract with initial parameters (e.g., initialClaimFee = 1 ETH, gracePeriod = 24 hours).

Player A calls claimThrone with 1 ETH, becoming the current King (currentKing = Player A).

Player B attempts to claim the throne with 1 ETH. The transaction reverts with "Game: You are already the king. No need to re-claim.", despite Player B not being the King.

Player A calls claimThrone again with the updated claimFee. The transaction succeeds, resetting lastClaimTime and keeping Player A as the King.

Steps 5-7 can repeat indefinitely, locking Player B and others out of the game.

Recommended Mitigation

Current code:

- require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");

The current code require(msg.sender == currentKing) allows the current King to re-claim the throne

Hinders other player from claiming throne thus, competition not achived.

Fixed code:

+ require(msg.sender != currentKing, "Game: You are already the king. Cannot claim again.");

This change ensures:

Only non-King players can claim the throne, aligning with the game's competitive intent.

The error message accurately reflects the condition being enforced, improving clarity.

Updates

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Game::claimThrone `msg.sender == currentKing` check is busted

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.