Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Lack of rate limiting in searchForEgg enables DoS attacks against other players

teoslaf

Summary

The EggHuntGame::searchForEgg function has no rate limiting or gas consumption controls, allowing malicious actors to execute DoS (Denial of Service) attacks that prevent other users from participating in the game.

Vulnerability Details

The vulnerability exists in the searchForEgg function which can be called repeatedly without any restrictions:

## EggHuntGame.sol
function searchForEgg() external {
require(gameActive, "Game not active");
require(block.timestamp >= startTime, "Game not started yet");
require(block.timestamp <= endTime, "Game ended");
uint256 random = uint256(
keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter))
) % 100;
if (random < eggFindThreshold) {
eggCounter++;
eggsFound[msg.sender] += 1;
eggNFT.mintEgg(msg.sender, eggCounter);
emit EggFound(msg.sender, eggCounter, eggsFound[msg.sender]);
}
}

An attacker can monopolize the game by:

  1. Creating a contract that continuously calls searchForEgg with high gas prices

  2. Front-running other users' transactions to ensure their transactions are processed first

  3. Filling blocks with their transactions, making it difficult for others to participate

Proof of Concept

  1. Attacker monitors the mempool for searchForEgg transactions

  2. When a legitimate user submits a transaction, the attacker immediately submits multiple transactions with higher gas prices

  3. The attacker's transactions are processed first, potentially finding eggs before the legitimate user

  4. By repeating this process, the attacker can effectively prevent other users from successfully participating

Impact

  • Regular users are unable to participate in the game

  • The attacker can monopolize egg finding

  • The game becomes unfair and centralized

  • If eggs have economic value, this becomes a serious financial attack

  • Undermines the core purpose and fairness of the game

  • Could lead to abandonment of the game by legitimate players

Tools Used

  • Manual code review

Recommendations

Implement a per-address rate limiting mechanism:

+ mapping(address => uint256) public lastSearchTime;
+ uint256 public constant SEARCH_COOLDOWN = 1 hours;
function searchForEgg() external {
require(gameActive, "Game not active");
require(block.timestamp >= startTime, "Game not started yet");
require(block.timestamp <= endTime, "Game ended");
+ require(block.timestamp >= lastSearchTime[msg.sender] + SEARCH_COOLDOWN, "Too soon to search again");
+ lastSearchTime[msg.sender] = block.timestamp;
// ... rest of function ...
}
Updates

Lead Judging Commences

m3dython Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No rate limiting

Contract lacks any cooldown mechanism, search limits, or costs in the searchForEgg() function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.