Description:

The searchForEgg() function in the EggHuntGame contract lacks any rate limiting mechanism or restrictions on how many times a single address can call it. This design flaw allows users to repeatedly call the function without any cooldown period or daily limits, enabling mass attempts to find eggs. When combined with the predictable randomness issue, this creates a severe exploitation vector that undermines the entire game economy.

Attack path:

An attacker creates a smart contract that continuously calls the searchForEgg() function in a loop, submitting hundreds or thousands of transactions in a short time period. With sufficient gas funds, they can brute-force the randomness mechanism by simply making many more attempts than regular players. This is particularly effective when combined with randomness prediction techniques.

Impact:

• The absence of rate limiting completely undermines the game's intended scarcity and balance

• Attackers with more financial resources can dominate the game by simply making more attempts

• A single player could potentially acquire a disproportionate percentage of all eggs

• Regular players with limited resources are effectively priced out of meaningful participation

Recommended Mitigation:

Implement a one-attempt-per-address limit for the entire game duration