Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Owner Can Modify Critical Game Parameters During Active Game

osok17

Root + Impact

Description

Normally, the game parameters like gracePeriod, initialClaimFee, feeIncreasePercentage, and platformFeePercentage are expected to remain stable during a single round of the game to ensure fairness and predictability for all players.
However, the contract allows the owner to modify these parameters at any time, even while a game round is active. This creates a risk where the rules of the game may change mid-round, possibly impacting player decisions and game outcomes.

function updateGracePeriod(uint256 _newGracePeriod) external onlyOwner {

@> gracePeriod = _newGracePeriod;

emit GracePeriodUpdated(_newGracePeriod);

}

function updateClaimFeeParameters(...) external onlyOwner isValidPercentage(...) {

@> initialClaimFee = _newInitialClaimFee;

@> feeIncreasePercentage = _newFeeIncreasePercentage;

}

function updatePlatformFeePercentage(...) external onlyOwner isValidPercentage(...) {

@> platformFeePercentage = _newPlatformFeePercentage;

}

Risk

Likelihood:

This can occur whenever the owner decides to update parameters without calling resetGame(), i.e., during any active game round.
No runtime or compile-time guard (such as gameEndedOnly) is used to prevent this.

Impact:

Players may be misled or disadvantaged due to changes in game logic or fees after they have already committed ETH or made strategic decisions.
The discrepancy between the updated values and the reset values (which revert to initial settings) may create inconsistent or unexpected behavior.

Proof of Concept

No exploit required—this is a trust/design issue

Recommended Mitigation

This ensures parameters can only be changed after the game ends, maintaining fairness for all participants.

function updateGracePeriod(uint256 _newGracePeriod)

external

onlyOwner

+ gameEndedOnly

{

require(_newGracePeriod > 0, "Game: New grace period must be greater than zero.");

gracePeriod = _newGracePeriod;

emit GracePeriodUpdated(_newGracePeriod);

}

function updateClaimFeeParameters(...)

external

onlyOwner

isValidPercentage(...)

+ gameEndedOnly

{

...

}

function updatePlatformFeePercentage(...)

external

onlyOwner

isValidPercentage(...)

+ gameEndedOnly

{

...

}

Updates

Appeal created

inallhonesty Lead Judge 15 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.