## Arena Smart Contract Vulnerability: Unstaked Addresses Can Corrupt Game Resolution
A critical security flaw has been identified in the `submit_choice` function of the Arena smart contract. The function currently accepts submissions from any caller without verifying if the address is an active, staked participant in the game. This absence of a `DataKey::Survivor` check allows random, unstaked addresses to pollute the round's submission data, directly altering the total submission count and breaking the core resolution logic of the Arena.

The vulnerability resides in `contract/arena/src/lib.rs`. The function's failure to validate the caller's status as a registered survivor means the game's state can be manipulated by external, non-participating entities. This is not a minor edge case; the project's own context states the flaw compromises the entire resolution algorithm, rendering the game's outcome unreliable and potentially exploitable.

The proposed fix is straightforward but essential: retrieve the `DataKey::Survivor(player)` record from storage and return an `ArenaError::NotJoined` if it does not exist. Until this validation is implemented and tested, the contract's integrity and the fairness of its resolution mechanism remain at significant risk. This is a foundational security failure that must be addressed before any live deployment.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: smart_contract, security_vulnerability, blockchain, rust, game_logic
- **Credibility**: unverified
- **Published**: 2026-03-25 10:27:17
- **ID**: 33068
- **URL**: https://whisperx.ai/en/intel/33068