Submission Details
Severity:
Incorrect require Condition in claimThrone Function
Root + Impact
Description
-
-
The statement checks if msg.sender is equal to currentKing and reverts if true, preventing the current king from reclaiming the throne. However, the condition should be msg.sender != currentKing to allow a new player to claim the throne while preventing the current king from re-claiming unnecessarily.
-
The condition should be negated to prevent the current king from claiming again.
function claimThrone() external payable gameNotEnded nonReentrant {
require(msg.value >= claimFee, "Game: Insufficient ETH sent to claim the throne.");
@> require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");
uint256 sentAmount = msg.value;
uint256 previousKingPayout = 0;
uint256 currentPlatformFee = 0;
uint256 amountToPot = 0;
// Calculate platform fee
currentPlatformFee = (sentAmount * platformFeePercentage) / 100;
// Defensive check to ensure platformFee doesn't exceed available amount after previousKingPayout
if (currentPlatformFee > (sentAmount - previousKingPayout)) {
currentPlatformFee = sentAmount - previousKingPayout;
}
platformFeesBalance = platformFeesBalance + currentPlatformFee;
// Remaining amount goes to the pot
amountToPot = sentAmount - currentPlatformFee;
pot = pot + amountToPot;
// Update game state
currentKing = msg.sender;
lastClaimTime = block.timestamp;
playerClaimCount[msg.sender] = playerClaimCount[msg.sender] + 1;
totalClaims = totalClaims + 1;
// Increase the claim fee for the next player
claimFee = claimFee + (claimFee * feeIncreasePercentage) / 100;
emit ThroneClaimed(
msg.sender,
sentAmount,
claimFee,
pot,
block.timestamp
);
}
Impact:
-
-
Breaks core game mechanics: The original implementation makes the game unplayable after the first claim.
Proof of Concept
function testClaimThroneIncorrectRequirement() public {
// Step 1: Player1 claims the throne, becomes currentKing
vm.prank(player1);
game.claimThrone{value: INITIAL_CLAIM_FEE}();
assertEq(game.currentKing(), player1, "Player1 should be the current king");
assertEq(game.claimFee(), 0.11 ether, "Claim fee should increase by 10% after first claim");
// Step 2: Player1 attempts to claim again, should revert due to buggy require(msg.sender == currentKing)
vm.expectRevert("Game: You are already the king. No need to re-claim.");
vm.prank(player1);
game.claimThrone{value: 0.11 ether}();
// Step 3: Player2 claims the throne, should succeed as they are not currentKing
vm.prank(player2);
game.claimThrone{value: 0.11 ether}();
assertEq(game.currentKing(), player2, "Player2 should be the current king");
assertEq(game.claimFee(), 0.121 ether, "Claim fee should increase by 10% after second claim");
}
Recommended Mitigation
Update the require statement in the claimThrone function to use the correct logical condition.
function claimThrone() external payable gameNotEnded nonReentrant {
require(msg.value >= claimFee, "Game: Insufficient ETH sent to claim the throne.");
- require(msg.sender == currentKing, "Game: You are already the king. No need to re-claim.");
+ require(msg.sender != currentKing, "Game: Current king cannot claim again.");
uint256 sentAmount = msg.value;
uint256 previousKingPayout = 0;
uint256 currentPlatformFee = 0;
uint256 amountToPot = 0;
// Calculate platform fee
currentPlatformFee = (sentAmount * platformFeePercentage) / 100;
// Defensive check to ensure platformFee doesn't exceed available amount after previousKingPayout
if (currentPlatformFee > (sentAmount - previousKingPayout)) {
currentPlatformFee = sentAmount - previousKingPayout;
}
platformFeesBalance = platformFeesBalance + currentPlatformFee;
// Remaining amount goes to the pot
amountToPot = sentAmount - currentPlatformFee;
pot = pot + amountToPot;
// Update game state
currentKing = msg.sender;
lastClaimTime = block.timestamp;
playerClaimCount[msg.sender] = playerClaimCount[msg.sender] + 1;
totalClaims = totalClaims + 1;
// Increase the claim fee for the next player
claimFee = claimFee + (claimFee * feeIncreasePercentage) / 100;
emit ThroneClaimed(
msg.sender,
sentAmount,
claimFee,
pot,
block.timestamp
);
}
Updates
Appeal created
inallhonesty 18 days ago
Submission Judgement Published Assigned finding tags:
Game::claimThrone `msg.sender == currentKing` check is busted
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.