While the Game is ongoing, it is not ideal to change the games core variables like percantage for fee calculation, gracePeriod and so on.

Description

Contract must not allow to change variables like feeIncreasePercantage , platformFeePercantage and gracePeriod during an ongoing game. This could lead user dissatisfaction. If a malicious Owner wants to steal user reward he/she could maliciously use this functions for thier advantage.

• Once the game has begun, values must not be changed when round is complete.

• Unneccessary, mistaken or malicious update to these values could lead user rewards loss.

Risk

Likelihood: LOW

• Can only be called by the owner of the contract who is a trusted person/account.

• But if the Owner is malicious than it could be very difficult for all the other participants to play a fair game.

Impact: HIGH

• Malicious access to owner account or mistake update by the user could lead to errors like :

  • Grace Period becoming as low as 1 seconds making anyone or deployer itself to claim instantly after claiming the throne, fair participation would be impossible.

  • High platform fee percantage could take away most or all of the sent amount as a platform fee leading zero amount added to the pot and being added to the platformFee.

  • Sudden change in claimFee increase/decrease percantage could make participation harder for users.

Proof of Concept

In this test function, we Can clearly see how deployer could manipulate the variables and be able to earn more in rewards than the actual intended reward for a normal game round.

Recommended Mitigation

For this issue recommended mitigations are as follow :

1. Do not allow changing of these important varaibles during the game by anyone. Use gameEndedOnly modifier in all of these functions to prevent this behavior.

2. Do not let the Owner of the contract to play the game. Use a defensive check in claimThrone function line require(msg.sender != owener()) to improve more fairness in the game.