claimThrone() Locked at Deployment — Only `CurrentKing` Can Call Initially
Description
In the current implementation of claimThrone(), the contract enforces that msg.sender must be equal to currentKing. However, upon deployment, currentKing is initialized to address(0), meaning only address(0) can call claimThrone() initially — which is impossible on-chain. This condition permanently locks the function and prevents any player from claiming the throne, effectively breaking the core gameplay.
Risk
HIGH
Likelihood:
-
Occurs immediately upon deployment, on the first ever
claimThrone()attempt. -
Will always trigger in production unless manually initialized via a privileged function (which is not ideal for fairness or decentralization).
Impact:
-
Game halts entirely — no user can become king.
-
Game logic becomes unreachable, and the contract becomes unusable without redeployment or admin intervention.
Proof of Concept
-
Deploy the contract.
-
Try calling
claimThrone()from any EOA:game.claimThrone{value: claimFee}(); // reverts -
Fails with:
Game: You are already the king. No need to re-claim.. -
Because
currentKing == address(0)and no valid address can ever bemsg.sender == address(0).
Recommended Mitigation
Fix the require check
Appeal created
Game::claimThrone `msg.sender == currentKing` check is busted
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.