Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Centralization risk in EggstravaganzaNFT game contract management

teoslaf

Summary

The EggstravaganzaNFT::setGameContract function allows the owner to change the authorized minting contract at any time without notice or delay, creating a centralization risk that undermines the trustlessness of the system.

Vulnerability Details

The NFT contract allows the owner to change which contract is authorized to mint NFTs without any restrictions:

## EggstravaganzaNFT.sol
function setGameContract(address _gameContract) external onlyOwner {
require(_gameContract != address(0), "Invalid game contract address");
gameContract = _gameContract;
}

This creates several vulnerabilities:

  1. The owner can change the game contract at any time without notice

  2. No events are emitted when this critical parameter changes

  3. Users have no way to verify which contract is authorized to mint

  4. No timelock or delay mechanism for such a critical parameter change

Impact

  • The owner can silently change which contract is authorized to mint NFTs

  • Could be exploited by a compromised owner account to redirect minting privileges

  • Users have no transparency into changes to critical game parameters

  • Undermines the trustlessness of the system

Tools Used

  • Manual code review

  • Centralization risk assessment

Recommendations

Implement proper event emissions and a timelock mechanism

Updates

Lead Judging Commences

m3dython Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.