Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Centralized Control in EggHuntGame.sol

0x_wind

Summary

The endGame() function allows the owner to end the game at any time, regardless of the scheduled endTime. The function lacks checks to prevent premature termination, which introduces centralization risks, disrupts fairness and also user trust.

Vulnerability Details

Vulnerable Contract: EggHuntGame.sol

Vulnerable Function: endGame()

function endGame() external onlyOwner {

require(gameActive, "Game not active");

gameActive = false;

emit GameEnded(block.timestamp);

}

The owner can call endGame() at any time, even before the scheduled endTime.

Impact

If rewards are time-based, an early and premature ending of the game could place participants at a disadvantage, as players may rely on endTime to strategize while playing.
The owner could end the game when certain players are winning, preventing them from claiming rewards.
An untimely termination of the game undermines the confidence of players in the game's integrity.

Tools Used

Solidity

Foundry forge

Manual Review

Proof of Concept (PoC):

Test Case: test_OwnerCanEndGame

Add the following code to the EggHuntGameTest.t.sol file

function test_OwnerCanEndGame() public {

vm.prank(owner);

game.startGame(1 days); // Start a 1-day game

vm.warp(block.timestamp + 1 hours); // Fast-forward 1 hour (game should still be active)

vm.prank(owner);

game.endGame(); // Owner ends game early

assertFalse(game.gameActive());

assertLt(block.timestamp, game.endTime()); // Ended before natural end time

}

When you run forge test --match-test test_OwnerCanEndGame, the test should pass.

Recommendations

Modify the endGame() function to prevent premature ending by adding a timestamp check.

function endGame() external onlyOwner {

require(gameActive, "Game not active");

// Prevent early termination by adding a timestamp check

require(block.timestamp >= endTime, "Game cannot end before scheduled time"); // fix

gameActive = false;

emit GameEnded(block.timestamp);

Updates

Lead Judging Commences

m3dython Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.