Last Man Standing
First Flight #45
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: high
Invalid

Missing gameEndedOnly Modifier

nem0thefinder

Summary

This report identifies a minor security concern in the game smart contract where administrative functions lack proper access control modifiers. Three functions that should only be callable after the game has ended are missing the gameEndedOnly modifier, allowing game parameters to be modified while the game is active.

Description

The following administrative functions are missing the gameEndedOnly modifier, allowing them to be called while the game is running:

  1. updateGracePeriod()

  2. updateClaimFeeParameters()

  3. updatePlatformFeePercentage()

1. updateGracePeriod()

function updateGracePeriod(uint256 _newGracePeriod) external onlyOwner {
// Missing gameEndedOnly modifier
}

2. updateClaimFeeParameters()

function updateClaimFeeParameters(
uint256 _newInitialClaimFee,
uint256 _newFeeIncreasePercentage
) external onlyOwner isValidPercentage(_newFeeIncreasePercentage) {
// Missing gameEndedOnly modifier
}

3. updatePlatformFeePercentage()

function updatePlatformFeePercentage(uint256 _newPlatformFeePercentage)
external
onlyOwner
isValidPercentage(_newPlatformFeePercentage)
{
// Missing gameEndedOnly modifier
}

Impact

  • Grace Period Adjustments: Owner could modify grace periods during active gameplay, dethroning legit winner

  • Fee Structure Updates: Claim fees could be adjusted mid-game, changing participation costs

  • Platform Fee Modifications: Revenue distribution could be updated during active rounds

Mitigation

  • Add gameEndedOnly modifier for the three functions

Updates

Appeal created

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!