No Ownership Check on setGameContract() After Init
Summary
The contract owner can change the gameContract address at any time, even after it’s initially set. This could allow a compromised owner to set a malicious contract.
Vulnerability Details
The setGameContract() function allows the owner to modify the gameContract address without any restriction once it has been set. This exposes the contract to risk if the owner's account is compromised.
Impact
If the owner account is compromised, an attacker could set a malicious contract as the gameContract, allowing them to mint unlimited NFTs or perform other malicious actions.
Tools Used
Solidity
Access Control Vulnerability Detection
Recommendations
-
Lock
setGameContract()after it’s first used to prevent changes later:bool public gameContractSet = false;function setGameContract(address _gameContract) external onlyOwner {require(!gameContractSet, "Game contract already set");require(_gameContract != address(0), "Invalid game contract address");gameContract = _gameContract;gameContractSet = true;}✅ Once set, the
gameContractaddress cannot be changed, securing the contract from unauthorized changes.
Lead Judging Commences
Trusted Owner
Owner is trusted and is not expected to interact in ways that would compromise security
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.