Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Owner can drain the entire contract by claiming the throne himself

0xkatrix

Description

Since owner can manipulate values like gracePeriod and claimFee, he can reduce the gracePeriod value to a negligible amount after calling claimThrone() and increase the claimFee after that to an extremely large value so that no one can win after him in the remaining negligible period. This would ensure that the owner would win the game and claim the entire pot, as well as the entire platform fee, essentially keeping everything for himself.

Impact

This is a prime example of centralization risk. The owner has too much power and can manipulate the game in order to win everything himself in an unfair manner. Users lose funds in a rigged game.

Proof of Concept

Here's a test case proving the same:

function test_OwnerTakesEverything() public {
vm.prank(player2);
game.claimThrone{value: 0.2 ether}();
vm.prank(player3);
game.claimThrone{value: 0.3 ether}();
vm.startPrank(deployer); // the owner here
game.updateGracePeriod(10 seconds);
game.claimThrone{value: 1 ether}();
game.updateClaimFeeParameters(10_000_000e18, 10); // increases the claimFee to an impossible amount
uint256 ownerBalanceBefore = deployer.balance;
uint256 gameBalance = game.getContractBalance();
game.withdrawPlatformFees();
vm.warp(block.timestamp+12 seconds);
game.withdrawWinnings();
uint256 ownerBalanceAfter = deployer.balance;
vm.stopPrank();
assert(gameBalance == (ownerBalanceAfter - ownerBalanceBefore));
}

Mitigation Steps

Set a minimum grace period duration and a maximum threshold for claimFee so that the owner may participate in the game but cannot ensure his win.

Updates

Appeal created

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!