Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unrestricted control of `EggHuntGame:eggFindThreshold` allows game owner to mint eggs with 100% chance

trashpirate

Summary

As the game owner has the ability to change the eggFindThreshold at anytime, a dishonest game owner could manipulate the eggFindThreshold shortly before calling EggHuntGame::searchForEgg to mint an egg with 100%.

Vulnerability Details

For the game owner, there are no restrictions on setting the eggFindThreshold. This would allow a dishonest game owner to call the EggHuntGame::setEggFindThreshold shortly before calling EggHuntGame::searchForEgg, set the eggFindThreshold to 100, mint an egg with 100% certainty, and then set the eggFindThreshold back to the previous value for other players. This would give the game owner a significant advantage over other players in finding eggs.

Proof of Concept

The following scenario may lead to an unfair advantage for the game owner in finding eggs:

  1. Game owner starts game

  2. Game owner sets eggFindThreshold to 100

  3. Game owner calls EggHuntGame::searchForEgg function and mints egg with different address

  4. Game owner sets eggFindThreshold back to 20

Code:

Place following code into EggHuntGameTest.t.sol:

function testGameOnwerFindingMoreEggs() public {
// Start the game with a duration.
uint256 duration = 200;
game.startGame(duration);
address gameOwnerSecondAddress = address(0x4);
for (uint256 index = 0; index < 100; index++) {
// regular player searches for egg
vm.prank(alice);
game.searchForEgg();
// owner sets threshold to 100 to guarantee that an egg is found
uint256 oldThreshold = game.eggFindThreshold();
game.setEggFindThreshold(100);
// owner searches egg with 100% chance
vm.prank(gameOwnerSecondAddress);
game.searchForEgg();
// owner reverses threshold
game.setEggFindThreshold(oldThreshold);
}
// Owner minted more eggs than regular player
assertGt(game.eggsFound(gameOwnerSecondAddress), game.eggsFound(alice));
}

Impact

A dishonest game owner that manipulates the game to their own benefit may significantly impact the protocol in terms of trust and possibly lead to financial loss (it's unclear if there is any monetary value attached to the eggs). The impact may be high if for example eggs can be redeemd for prize money or prize money is rewarded to players with the most eggs, etc.

Tools Used

Manual review, custom test

Recommendations

To prevent dishonest game onwer from manipulating the game via the EggHuntGame::setEggFindThreshold function, the call to the function could be restricted such that:

  1. the eggFindThreshold can only be set before the game is active

  2. the eggFindThreshold can only be increased/decreased by a limited amount

  3. the eggFindThreshold can only be changed once per day

function setEggFindThreshold(uint256 newThreshold) external onlyOwner {
+ require(!gameActive, "Game must be inactive")
require(newThreshold <= 100, "Threshold must be <= 100");
eggFindThreshold = newThreshold;
}
Updates

Lead Judging Commences

m3dython Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Appeal created

trashpirate Submitter
5 months ago
m3dython Lead Judge
5 months ago
m3dython Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.