Eggstravaganza

Summary

The EggHuntGame contract contains a critical vulnerability in the endGame() function, allowing the contract owner to prematurely terminate the game at any time, even before the pre-set duration ends. This undermines the game's fairness and trustworthiness.

Vulnerability Details

Description: The endGame() function is restricted to the contract owner (onlyOwner), but it lacks a time-based validation to ensure the game can only end after its natural duration. This allows the owner to terminate the game before the endTime, disrupting player expectations and potentially manipulating outcomes.

Code Location:

Exploitation:

1. The owner can call endGame() even if the game is still active (e.g., before endTime).

2. This bypasses the game's pre-set duration, violating the intended rules .

Impact

• Exploitation Risks:

  • The owner can end the game early to prevent players from earning rewards.

  • Manipulate game outcomes (e.g., stopping the game before a player wins).

• Trust Loss: Users may lose confidence in the contract's fairness and transparency.

Tools Used

• Static code analysis (e.g., Slither).

• Manual review of control flow and ownership privileges.

Recommendations

1. Enforce Time-Based Validation:
   Modify endGame() to only allow termination after the endTime or during an emergency with additional safeguards.

   function endGame() external onlyOwner {

   require(gameActive, "Game not active");

   require(block.timestamp >= endTime, "Can only end after duration"); // Add this check

   gameActive = false;

   emit GameEnded(block.timestamp);

   }

2. Emergency Pause Mechanism:
   If early termination is necessary (e.g., security issues), implement a timelock or multi-signature approval .

3. Documentation:
   Clarify the game’s rules and owner privileges to align expectations with the code’s behavior .