Summary

The EggHuntGame contract has several functions, including startGame(), that are restricted to the contract owner. This creates a centralization risk where the owner has exclusive control over critical game functionality.

Vulnerability Details

The startGame() function uses the onlyOwner modifier:

This restricts the ability to start the game exclusively to the contract owner. Similar restrictions exist on other admin functions like endGame() and setEggFindThreshold().

Impact

Medium impact (centralization vulnerability). While this design choice is intentional for administrative purposes, it introduces several risks:

1. Single point of failure - if the owner key is compromised, game operation could be disrupted

2. Trust requirement - users must trust the owner not to manipulate game conditions unfairly

3. Censorship risk - owner could selectively prevent certain games from starting

4. Key loss risk - if owner keys are lost, the game could become permanently inoperable

Tools Used

Manual code review

Recommendations

1. Consider implementing one or more of these mitigations:

2. Time-lock mechanism: Add a delay between owner-initiated actions and their execution to allow users to react to potentially malicious actions.

3. Multi-signature governance: Replace the single owner with a multi-signature scheme requiring multiple approvals for administrative actions.

4. DAO or community governance: Transition control to a decentralized autonomous organization where token holders vote on key decisions.

5. Automated scheduling: Implement an automated game schedule that doesn't rely on owner intervention for regular operations.