Eggstravaganza

Summary

The EggHuntGame contract contains a critical vulnerability where the game administrator can arbitrarily change the eggFindThreshold during an active game. This parameter directly controls the probability of finding eggs, allowing the admin to selectively favor or penalize players by adjusting the difficulty in real-time. This fundamentally undermines the fairness and integrity of the game mechanics.

Vulnerability Details

The setEggFindThreshold function allows the owner to change the probability of finding eggs at any time, with no restrictions on whether a game is active:

Meanwhile, the searchForEgg function uses this threshold to determine success:

The vulnerability stems from:

1. Lack of restrictions on when the threshold can be changed

2. Centralized control of the game's core probability mechanism

3. Absence of transparency mechanisms to track or notify threshold changes

Impact

This creates fairness issues:

1. Selective Advantage: The admin can observe specific wallets searching for eggs and increase the threshold just before their transaction, then decrease it afterward.

2. Targeted Difficulty: The admin can make the game arbitrarily difficult for certain players or time periods.

3. Tournament Manipulation: In competitive settings, the admin can effectively choose winners by adjusting difficulty.

4. Inadverted change - the admin could change this setting during an active game unaware this favors some players

Tools Used

• manual check

Recommendations

• Option 1: Time-Lock for Threshold Changes

  Option 2: Prohibit Changes During Active Games

  Option 3: Game-Specific Thresholds