Audit name:
[SCA] Base Paper Scissors / Contract & Token / Jun2024
Date:
Jul 10, 2024
Table of Content
Introduction
We express our gratitude to the Base Paper Scissors team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Base Paper Scissors is a decentralized application (dApp) that allows users to play a game of Rock, Paper, Scissors on the blockchain.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Base Paper Scissors |
| Audited By | Kornel Światłowski |
| Approved By | Przemyslaw Swiatowiec |
| Website | https://bps.fun→ |
| Changelog | 27/06/2024 - Preliminary Report; 04/07/2024 - Final Report |
| Platform | Base |
| Language | Solidity |
| Tags | ERC20, Game |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Base Paper Scissors
- Audited By
- Kornel Światłowski
- Approved By
- Przemyslaw Swiatowiec
- Website
- https://bps.fun→
- Changelog
- 27/06/2024 - Preliminary Report; 04/07/2024 - Final Report
- Platform
- Base
- Language
- Solidity
- Tags
- ERC20, Game
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/lukabuz/block-paper-scissors/tree/release/hacken-audit→ |
| Commit | 401d0c25edc38f43db48e94d18b15bcd95de062f |
Review Scope
- Commit
- 401d0c25edc38f43db48e94d18b15bcd95de062f
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are present, but only at a high-level.
Technical description is present, but only at a high-level.
Code quality
No code quality issues were observed.
Test coverage
Code coverage of the project is 51.08% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative case coverage is missed.
Some functions are not tested.
System Overview
The BlockPaperScissorsTokenERC20 smart contract is an ERC20 token that also facilitates staking, reward distribution, and token management within the BlockPaperScissors ecosystem. It enables the staking of tokens, the accumulation of rewards based on the amount staked, and the claiming of these rewards. The contract's attributes include mechanisms for managing stakers, tracking rewards, and funding the reward pool from a designated game contract. It has the following attributes:
Name: BPS Staking Token
Symbol: BPST
Decimals: 18
Total supply: 10000000
The BlockPaperScissors smart contract enables a decentralized Rock, Paper, Scissors game on the blockchain. Users can create and join games by staking assets, commit their choices, and reveal them within specified time limits. The contract ensures fair play by using hashed commitments and handles various scenarios, such as timeouts and game cancellations. Game outcomes are resolved automatically, distributing winnings and fees accordingly.
Privileged roles
The BlockPaperScissorsTokenERC20 contract utilizes the Ownable2Step library from OpenZeppelin to restrict access to important functions. The owner of this contract has the following capabilities:
Recovers any Ether stuck in the contract.
Distributes rewards to all stakers based on their stake.
Sets the address of the game contract.
The BlockPaperScissors contract utilizes the Ownable2Step library from OpenZeppelin to restrict access to important functions. The owner of this contract has the following capabilities:
Updates the stakers fee percent.
Updates the cancel time limit.
Updates the reveal time limit.
Updates the minimum stake.
Sets the address of the token contract.
Locks the token contract address.
Risks
Absence of a Token Burn Mechanism: The project lacks a mechanism to burn tokens, facing challenges in managing supply dynamically, affecting the token's value stability and inflation control.
Dynamic Array Iteration Gas Limit Risks: The project iterates over large dynamic arrays, which leads to excessive gas costs, risking denial of service due to out-of-gas errors, directly impacting contract usability and reliability.
Owner's Unrestricted State Modification: The absence of restrictions on state variable modifications by the owner leads to arbitrary changes, affecting contract integrity and user trust, especially during critical operations like minting phases.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-4052 | BlockPaperScissors Vulnerability Allows Attackers to Double Winning Chances | fixed | Critical | |
| F-2024-4036 | Lack of Cancellation Status Update in cancelGame() Function | fixed | Critical | |
| F-2024-4062 | Lack of Minimum Stake Amount and Loop Over stakers AddressSet Enables Permanent DoS Attack | fixed | High | |
| F-2024-4041 | Missed Edge-Case in BlockPaperScissors Allows To Drain Native Tokens From Contract | fixed | High | |
| F-2024-4038 | Inadequate Reward Calculation Mechanism in BlockPaperScissorsTokenERC20 | accepted | High | |
| F-2024-4056 | Contract Owner Can Manipulate Token Address to Win Game | accepted | Medium | |
| F-2024-4046 | Missed Edge-Case in BlockPaperScissors Enables Unfair Win | fixed | Medium | |
| F-2024-4143 | Contract Owner Can Collect tempRewardBalance in Reward Distribution | fixed | Low | |
| F-2024-4054 | Insufficient Validation in BlockPaperScissors Contract Setter Functions | fixed | Low | |
| F-2024-4055 | Duplicate Functionality in BlockPaperScissorsTokenERC20 Contract Leads to Higher Deployment Cost | fixed | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/lukabuz/block-paper-scissors/tree/release/hacken-audit→ |
| Commit | 401d0c25edc38f43db48e94d18b15bcd95de062f |
| Whitepaper | - |
| Requirements | https://github.com/lukabuz/block-paper-scissors/tree/release/hacken-audit/README.md→ |
| Technical Requirements | https://github.com/lukabuz/block-paper-scissors/tree/release/hacken-audit/README.md→ |
Scope Details
- Commit
- 401d0c25edc38f43db48e94d18b15bcd95de062f
- Whitepaper
- -
- Technical Requirements
- https://github.com/lukabuz/block-paper-scissors/tree/release/hacken-audit/README.md→
Contracts in Scope
contracts/BlockPaperScissors.solcontracts/BlockPaperScissorsTokenERC20.sol