Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

`EggHuntGame::endGame` function doesn't check if the game is finished, making it possible to end the game before the end time

sa1ntrobi

Description: In function EggHuntGame::endGame it is only checked if the game is active, but not if the duration meant for the game has passed since the game has started.

function endGame() external onlyOwner {
require(gameActive, "Game not active");
gameActive = false;
emit GameEnded(block.timestamp);
}

Impact: The owner of the game can end the game whenever he wants to, even if the duration of the game that was set hasn't passed.

Proof of Concept:

  1. Onwer starts the game with a certain duration

  2. Owner ends the game before the duration has passed

PoC

Put this in the EggHuntGameTest.t.sol:

function testOwnerCanEndGameBeforeSetDuration() public {
vm.startPrank(owner);
game.startGame(60);
uint256 timeAfterStarting = block.timestamp;
assertTrue(game.gameActive());
game.endGame();
uint256 timeAfterEnding = block.timestamp;
assertFalse(game.gameActive());
assertEq(timeAfterEnding, timeAfterStarting);
vm.stopPrank();
}

Recommended Mitigation: Easiest fix is to add a require at the start of the function to check whether set duration has passed.

function endGame() external onlyOwner {
+ require(block.timestamp <= endTime, "Game not finished");
require(gameActive, "Game not active");
gameActive = false;
emit GameEnded(block.timestamp);
}
Updates

Lead Judging Commences

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.