Eggstravaganza

First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Severity: medium
Invalid

Threshold Manipulation by the Owner while the Game is Active

Summary

The EggHuntGame contract allows the owner to arbitrarily update the eggFindThreshold during the game via the setEggFindThreshold() function. This can be manipulated to guarantee egg discovery by temporarily increasing the threshold to 100%, effectively rigging the game.

Vulnerability Details

The setEggFindThreshold(uint256 _newThreshold) function is restricted to the contract owner. There are no safeguards preventing the owner from calling this function at any point during the game.

This introduces a centralization risk and allows a malicious or opportunistic owner to:

  1. Start the game with a low threshold.

  2. Fail a few attempts intentionally.

  3. Set the threshold to 100%.

  4. Call searchForEgg() again and guarantee success.

  5. Optionally reduce the threshold again to avoid detection.

contract EggVaultExploitTest is Test {
EggVault eggVault;
EggstravaganzaNFT eggNFT;
EggHuntGame game;
address owner = address(address(0x1));
address player1 = address(0x2);
function setUp() public {
vm.startPrank(owner);
eggNFT = new EggstravaganzaNFT("Egg NFT", "EGG");
eggVault = new EggVault();
game = new EggHuntGame(address(eggNFT), address(eggVault));
eggVault.setEggNFT(address(eggNFT));
eggNFT.setGameContract(address(game));
vm.stopPrank();
}
function testThresholdManipulationExploit() public {
vm.startPrank(owner);
// Initially, set a low egg find threshold (10%)
game.setEggFindThreshold(10);
game.startGame(1 hours);
game.searchForEgg();
vm.stopPrank();
vm.prank(player1);
game.searchForEgg();
uint256 eggCountBefore = eggNFT.totalSupply();
vm.startPrank(owner);
// Owner increases chance to 100%
game.setEggFindThreshold(100);
// Owner searches again - guaranteed success
game.searchForEgg();
uint256 eggCountAfter = eggNFT.totalSupply();
// Owner reduces chance back to 10%
game.setEggFindThreshold(10);
vm.stopPrank();
//users continue to struggle
vm.prank(player1);
game.searchForEgg();
uint256 eggCount = eggNFT.totalSupply();
assertEq(eggCountAfter, eggCountBefore + 1, "Owner exploited threshold change to guarantee egg mint");
assertEq(eggCount, eggCountBefore + 1, "users continue to struggle");
}
}

Impact

  • Game Integrity Compromise: The fairness of the egg hunt is entirely compromised.

  • Centralized Exploitability: A malicious owner can mint as many eggs as desired.

  • Trust Erosion: If users are aware the game is modifiable on the fly, it undermines player trust.

  • Economic Risk: If NFTs have value, the owner can farm them unfairly, affecting scarcity and user rewards.

Tools Used

  • Manual Code Review

  • Foundry Unit Test Simulation

Recommendations

Restrict changes to eggFindThreshold after the game has started.

/// @notice Allows the owner to adjust the egg-finding chance.
function setEggFindThreshold(uint256 newThreshold) external onlyOwner {
+ require(!gameActive, "Cannot change threshold mid-game");
require(newThreshold <= 100, "Threshold must be <= 100");
eggFindThreshold = newThreshold;
}
Updates

Lead Judging Commences

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.