Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Time Validation in endGame Function

monteago30

Summary

The endGame() function can be called by the owner at any time, even before the scheduled end time, potentially disrupting the game unfairly.

Vulnerability Details

The endGame() function has insufficient validation:

function endGame() external onlyOwner {

require(gameActive, "Game not active");

gameActive = false;

emit GameEnded(block.timestamp);

}

While it checks that the game is active, it doesn't validate that the game's scheduled end time has passed. This allows the owner to arbitrarily end the game early, which could be unfair to participants who expected a specific game duration.

Impact

Medium. This vulnerability enables:

Premature termination of the game by the owner
Potential manipulation of game outcomes
Loss of trust in the fairness of the game

Tools Used

Manual code review

Recommendations

Add a check to ensure the current time is past the scheduled end time
Or add a flag parameter to explicitly allow early termination in exceptional cases
Emit an event with the reason for early termination if allowed

/// @notice Ends the egg hunt game.

/// @dev Includes checks to ensure the game can only be ended after the scheduled end time,

/// unless an emergency flag is provided.

function endGame(bool emergency) external onlyOwner {

require(gameActive, "Game not Active");

if (!emergency) {

require(block.timestamp >== endTime, "Game end time not reached");

}

gameActive = false;

if (emergecny) {

emit GameEndedEarly(block.timestamp, msg.sender);

} else {

emit GameEnded(block.timestamp);

}

// Additional event for emergency endings

event GameEndedEarly(uint256 timestamp, address initiator);

Adds an emergency parameter to allow for early termination only in exceptional circumstances
Requires the current time to be past the scheduled end time unless it's an emergency
Emits different events depending on whether it's a normal or emergency end
Adds a specific event for emergency endings that includes who initiated it

This approach:

Protects players from arbitrary early termination
Provides transparency when games are ended early
Still allows for emergency stops when absolutely necessary
Creates an audit trail of who initiated emergency stops and when

This solution balances owner control with player protection, addressing the medium-severity vulnerability while maintaining flexibility for legitimate use cases.

Updates

Lead Judging Commences

m3dython Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.