Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Missing Validation in Constructor Parameters

r4y4n3

Root + Impact

Description

Normal behavior:
Constructor should validate that percentage parameters are within reasonable ranges to ensure the game remains playable and economically balanced.

Specific issue:
The constructor validates that percentages are <= 100 but allows extreme values like 100% fee increase (fees double each claim) and 100% platform fee (all funds go to owner), which can make the game unplayable or pointless.

// src/Game.sol

constructor(

uint256 _initialClaimFee,

uint256 _gracePeriod,

uint256 _feeIncreasePercentage,

uint256 _platformFeePercentage

) Ownable(msg.sender) {

require(_feeIncreasePercentage <= 100, "Game: Fee increase percentage must be 0-100."); // @> Allows 100%

require(_platformFeePercentage <= 100, "Game: Platform fee percentage must be 0-100."); // @> Allows 100%

}

Risk

Likelihood:

Deployer sets extreme values during deployment, either intentionally or by mistake.

Impact:

100% fee increase causes fees to double each claim (0.1 → 0.2 → 0.4 → 0.8 ETH), making game unplayable.
100% platform fee means all funds go to owner and pot remains zero, making game pointless.
Users lose trust due to unfair or broken economic model.

Proof of Concept

The following tests demonstrate that the constructor accepts problematic extreme values:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import {Test} from "forge-std/Test.sol";

import {Game} from "../src/Game.sol";

contract GameConstructorValidationTest is Test {

address public deployer;

uint256 public constant INITIAL_CLAIM_FEE = 0.1 ether;

uint256 public constant GRACE_PERIOD = 1 days;

function setUp() public {

deployer = makeAddr("deployer");

vm.deal(deployer, 10 ether);

}

function testConstructorAllows100PercentFeeIncrease() public {

// Constructor allows 100% fee increase, which means fees double each claim

vm.startPrank(deployer);

Game game = new Game(

INITIAL_CLAIM_FEE,

GRACE_PERIOD,

100, // 100% fee increase - PROBLEMATIC

5 // 5% platform fee

);

vm.stopPrank();

// Verify the problematic values were set

assertEq(game.feeIncreasePercentage(), 100, "Fee increase should be 100%");

// This means fees will double: 0.1 → 0.2 → 0.4 → 0.8 → 1.6 ETH

// Game becomes unplayable very quickly

}

function testConstructorAllows100PercentPlatformFee() public {

// Constructor allows 100% platform fee, meaning all funds go to owner

vm.startPrank(deployer);

Game game = new Game(

INITIAL_CLAIM_FEE,

GRACE_PERIOD,

10, // 10% fee increase

100 // 100% platform fee - PROBLEMATIC

);

vm.stopPrank();

// Verify the problematic value was set

assertEq(game.platformFeePercentage(), 100, "Platform fee should be 100%");

// This means pot will always be 0, making the game pointless

}

function testConstructorShouldRejectExtremeValues() public {

// These should fail but currently pass

vm.startPrank(deployer);

// Should reject extreme fee increase

vm.expectRevert(); // This will fail because constructor doesn't validate properly

Game game1 = new Game(INITIAL_CLAIM_FEE, GRACE_PERIOD, 101, 5);

// Should reject extreme platform fee

vm.expectRevert(); // This will fail because constructor doesn't validate properly

Game game2 = new Game(INITIAL_CLAIM_FEE, GRACE_PERIOD, 10, 101);

vm.stopPrank();

}

function testReasonableParametersWork() public {

// Reasonable parameters should work

vm.startPrank(deployer);

Game game = new Game(

INITIAL_CLAIM_FEE,

GRACE_PERIOD,

20, // 20% fee increase (reasonable)

10 // 10% platform fee (reasonable)

);

vm.stopPrank();

assertEq(game.feeIncreasePercentage(), 20, "Should accept reasonable fee increase");

assertEq(game.platformFeePercentage(), 10, "Should accept reasonable platform fee");

}

Recommended Mitigation

Add proper range validation for percentage parameters to ensure reasonable game economics:

- require(_feeIncreasePercentage <= 100, "Game: Fee increase percentage must be 0-100.");

- require(_platformFeePercentage <= 100, "Game: Platform fee percentage must be 0-100.");

+ require(_feeIncreasePercentage <= 50, "Game: Fee increase percentage must be 0-50.");

+ require(_platformFeePercentage <= 30, "Game: Platform fee percentage must be 0-30.");

Updates

Appeal created

inallhonesty Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.