Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Unlimited platform fee allows complete player fund extraction

anchabadze

Description:

The protocol allows the owner to set platformFeePercentage up to 100%, effectively enabling complete extraction of all player funds. The validation only checks that the percentage doesn't exceed 100%:

// Constructor validation

require(_platformFeePercentage <= 100, "Game: Platform fee percentage must be 0-100.");

// Update function with same validation

modifier isValidPercentage(uint256 _percentage) {

require(_percentage <= 100, "Game: Percentage must be 0-100.");

}

When platformFeePercentage = 100%, the fee calculation in claimThrone() becomes:

// Platform fee calculation

currentPlatformFee = (sentAmount * platformFeePercentage) / 100;

// With 100%: currentPlatformFee = (sentAmount * 100) / 100 = sentAmount

// Remaining amount to pot

amountToPot = sentAmount - currentPlatformFee;

// With 100%: amountToPot = sentAmount - sentAmount = 0

This results in:

All player payments going directly to platformFeesBalance
Zero funds added to the pot
No prize for any winner

Impact:

Owner can legally take 100% of all player deposits

Players compete for an empty pot while owner collects everything

Owner can start with reasonable fees then increase to 100% mid-protocol

Players lose all invested funds with no possibility of returns

Recommended Mitigation:

Implement a reasonable maximum platform fee to maintain game economics and player incentives:

// Add maximum platform fee constant

uint256 public constant MAX_PLATFORM_FEE = 20; // 20% maximum

// Update constructor validation

constructor(

uint256 _initialClaimFee,

uint256 _gracePeriod,

uint256 _feeIncreasePercentage,

uint256 _platformFeePercentage

) Ownable(msg.sender) {

require(_initialClaimFee > 0, "Game: Initial claim fee must be greater than zero.");

require(_gracePeriod > 0, "Game: Grace period must be greater than zero.");

require(_feeIncreasePercentage <= 100, "Game: Fee increase percentage must be 0-100.");

require(_platformFeePercentage <= MAX_PLATFORM_FEE, "Game: Platform fee exceeds maximum.");

// ... rest of constructor

}

// Update modifier

modifier isValidPlatformFeePercentage(uint256 _percentage) {

require(_percentage <= MAX_PLATFORM_FEE, "Game: Platform fee exceeds maximum.");

}

// Update function signature

function updatePlatformFeePercentage(uint256 _newPlatformFeePercentage)

external

onlyOwner

isValidPlatformFeePercentage(_newPlatformFeePercentage) // Use specific modifier

{

platformFeePercentage = _newPlatformFeePercentage;

emit PlatformFeePercentageUpdated(_newPlatformFeePercentage);

}

This ensures the game remains economically viable for players while providing reasonable revenue for the platform operator.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!