Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

The `searchForEgg()` function in the `EggHuntGame` contract is vulnerable to timestamp manipulation, allowing the attacker to play even after the game has ended, giving them an unfair advantage

harisuthan5534798

Description

In the EggHuntGame contract, the searchForEgg() function has a vulnerability that allows an attacker to manipulate the block timestamp. This means the attacker can trick the contract into thinking the game is still ongoing, even after the game should have ended

function searchForEgg() external {

require(gameActive, "Game not active");

require(block.timestamp >= startTime, "Game not started yet");

-> require(block.timestamp <= endTime, "Game ended");

Impact

It creates an unfair playing environment, where the attacker can keep playing even after the game should be over
While it does not directly affect funds or ownership, it does compromise the game’s integrity and fairness

Proof Of Code

In the provided test case code, you can see how the attacker manipulates the timestamp to continue playing the game, even after it should have ended

function testmanipulatetimestamp() external{

vm.warp(80); // Set the initial block timestamp to 80 seconds

// Start the game as the owner, with a duration of 70 seconds

vm.prank(owner);

game.startGame(70);

console.log("game start time" , game.startTime());

console.log("game End time" , game.endTime());

// Move forward in time past the game end time

vm.warp(180); // Now block.timestamp = 180 (Game should be over!)

address user = address(1);

vm.prank(user);

//Attacker manipulates block.timestamp backwards to 130 (before endTime)

vm.warp(130); // Now block.timestamp = 130, making the game seem active again

// Attacker calls searchForEgg() even though the game should have ended

game.searchForEgg();

}

The game starts at 80 seconds.
The game should end at 150 seconds (80 + 70).
The attacker moves time forward to 180 (Game is over at this point).
The attacker manipulates time backward to 130, making it seem like the game is still active.
The searchForEgg() function still executes, proving the bug exists.

You can see that the test case passed, instead of throwing a revert with Game Ended

root@LAPTOP-6DCGCU3B:~/2025-04-eggstravaganza# forge test --mt testmanipulatetimestamp -vvv

[⠊] Compiling...

[⠃] Compiling 1 files with Solc 0.8.28

[⠊] Solc 0.8.28 finished in 826.59ms

Compiler run successful!

Ran 1 test for test/EggHuntGameTest.t.sol:EggGameTest

[PASS] testmanipulatetimestamp() (gas: 80138)

Logs:

game start time 80

game End time 150

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.62ms (329.41µs CPU time)

Ran 1 test suite in 7.62ms (1.62ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

1) VS code

Recommendations

Relying on block.timestamp can be risky due to miner manipulation. We recommend using trusted oracles like Chainlink to fetch accurate, off-chain time data (e.g., UTC).

Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.