Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

M03. Owner Can Modify Game Parameters During Active Round and its transaction can be front-run

accessdenied

Root + Impact

Description

In normal gameplay, game parameters such as the gracePeriod, claimFee, and platformFeePercentage are expected to remain constant during a round, ensuring fairness and predictable behavior for all participants.

However, the following functions can be called by the owner at any time, even during an active round:

updateGracePeriod()
updateClaimFeeParameters()
updatePlatformFeePercentage()

This allows the owner to change critical economic parameters mid-game, which can:

Alter incentives or expected returns.
Enable front-running of parameter updates by other players (call claimThrones just before the owner's transaction).
Create an unfair advantage for players aware of the upcoming changes.

// Root cause in the codebase with @> marks to highlight the relevant section

@> function updateGracePeriod(uint256 _gracePeriod) external onlyOwner {

require(_gracePeriod > 0, "Game: Grace period must be greater than zero.");

gracePeriod = _gracePeriod;

}

@> function updateClaimFeeParameters(...) external onlyOwner {

...

claimFee = _initialClaimFee;

}

@> function updatePlatformFeePercentage(...) external onlyOwner {

...

platformFeePercentage = _platformFeePercentage;

}

Risk

Likelihood: HIGH

The owner can change parameters arbitrarily during gameplay.
Players may observe parameter changes in the mempool and front-run critical transactions.

Impact: MEDIUM

Players can lose funds due to reduced rewards or shortened grace periods.
The game becomes untrustworthy and economically unpredictable.
The owner could collude or act maliciously, undermining decentralization and fairness.

Proof of Concept

// Owner lowers claim fee right before front-running a throne claim

game.updateClaimFeeParameters(0.01 ether, 10); // lowers cost to claim

// Front-running transaction

game.claimThrone{value: 0.01 ether}(); // cheaper and earlier than fair competition

// Alternatively, gracePeriod is reduced to make current king lose earlier

game.updateGracePeriod(10); // 10 seconds

// Then declareWinner() is called unfairly early

game.declareWinner();

Recommended Mitigation

- function updateGracePeriod(uint256 _gracePeriod) external onlyOwner {

+ function updateGracePeriod(uint256 _gracePeriod) external onlyOwner gameEndedOnly {

- function updateClaimFeeParameters(...) external onlyOwner {

+ function updateClaimFeeParameters(...) external onlyOwner gameEndedOnly {

- function updatePlatformFeePercentage(...) external onlyOwner {

+ function updatePlatformFeePercentage(...) external onlyOwner gameEndedOnly {

This ensures updates can only occur between rounds, preserving fairness and eliminating exploitable mid-game behavior.

Updates

Appeal created

inallhonesty Lead Judge 10 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.