Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Game can be end at any time before the duration complete.

gaurangbrdv

Description

In `EggHuntGame` contract we have `endGame` function to end the game after duration has complete, but the owner can call this function anytime before duration pass and the game will be end, And the players who joins lately could not able to play the game. Also this refers to centalization risk for the protocol.

Impact

The game can be end before duration pass results in players unable to play the game.

Proof of Concept

Add this test into the `EggHuntGameTest.t.sol` file

```javascript

function testGameCanBeEndBeforeDeadlinePass() public {

game.startGame(1 hours);

vm.warp(1 minutes);

assertEq(game.getGameStatus(), "Game is active");

game.endGame();

assertEq(game.getGameStatus(),"Game is not active");

}

```

Result:

```javascript

Ran 1 test for test/EggHuntGameTest.t.sol:EggGameTest

[PASS] testGameCanBeEndBeforeDeadlinePass() (gas: 65715)

Traces:

[68515] EggGameTest::testGameCanBeEndBeforeDeadlinePass()

├─ [53376] EggHuntGame::startGame(3600)

│ ├─ emit GameStarted(startTime: 1, endTime: 3601)

│ └─ ← [Stop]

├─ [0] VM::warp(60)

│ └─ ← [Return]

├─ [945] EggHuntGame::getGameStatus() [staticcall]

│ └─ ← [Return] "Game is active"

├─ [0] VM::assertEq("Game is active", "Game is active") [staticcall]

│ └─ ← [Return]

├─ [1792] EggHuntGame::endGame()

│ ├─ emit GameEnded(endTime: 60)

│ └─ ← [Stop]

├─ [561] EggHuntGame::getGameStatus() [staticcall]

│ └─ ← [Return] "Game is not active"

├─ [0] VM::assertEq("Game is not active", "Game is not active") [staticcall]

│ └─ ← [Return]

└─ ← [Stop]

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.81ms (742.03µs CPU time)

Ran 1 test suite in 2.78s (4.81ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

```

Recommendations

The protocol should implement machenism so that also owner can not end the game before the actual deadline passed.

Make changes in to `endGame` function.

```diff

function endGame() external onlyOwner {

require(gameActive, "Game not active");

+ require(block.timestamp > endTime, "Duration is not passed yet");

gameActive = false;

emit GameEnded(block.timestamp);

}

```

Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!