Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Owner isn't trusted and can act maliciously

0xnbvc

Vulnerability Details

The owner possesses significant unchecked control over critical contract parameters and functions across the system, and isn't said to be a trusted actor in the README.
Functions like setEggNFT in EggVault, startGame, endGame, setEggFindThreshold in EggHuntGame, and setGameContract in EggstravaganzaNFT grant the owner power to fundamentally alter game mechanics, minting rights, and vault operations at any time.

// Example: EggVault.sol - Allows owner to change the NFT contract, potentially locking assets
function setEggNFT(address _eggNFTAddress) external onlyOwner {
require(_eggNFTAddress != address(0), "Invalid NFT address");
eggNFT = EggstravaganzaNFT(_eggNFTAddress);
}
// Example: EggHuntGame.sol - Allows owner to set unusable parameters
function setEggFindThreshold(uint256 newThreshold) external onlyOwner {
require(newThreshold <= 100, "Threshold must be <= 100");
eggFindThreshold = newThreshold;
}

Impact

A malicious or compromised owner can render the game unplayable (DoS) by setting invalid parameters (e.g., threshold 0/100, extreme durations) or prematurely ending games, and can permanently lock user-deposited NFTs in the vault by changing the target NFT contract address via setEggNFT.

Recommendation

Implement decentralized control mechanisms, such as a Timelock contract for critical administrative actions or transition ownership to a DAO structure, to mitigate centralized risks.

Updates

Lead Judging Commences

m3dython Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.