Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Input Validation Gap in setEggFindThreshold

edoscoba

Summary

The setEggFindThreshold function contains an input validation gap that allows the threshold to be set to 0%, which would make it impossible for players to find eggs, potentially leading to an unplayable game state.

Vulnerability Details

The setEggFindThreshold function in the EggHuntGame contract validates that the new threshold value is not greater than 100, but fails to validate that it is greater than 0:

function setEggFindThreshold(uint256 newThreshold) external onlyOwner {

require(newThreshold <= 100, "Threshold must be <= 100");

eggFindThreshold = newThreshold;

}

This allows the contract owner to set the threshold to 0%, which would make the random number generation in the searchForEgg function always fail the condition:

if (random < eggFindThreshold) {

// Mint egg logic

}

When eggFindThreshold is 0, the condition will never be true because any random number from 0-99 will not be less than 0, making it impossible for players to find eggs.

Proof of Concept

Owner calls setEggFindThreshold(0)
Players call searchForEgg() repeatedly
No eggs are ever found because random < 0 will always be false

Impact

Setting the threshold to 0 would result in:

Players wasting gas on transactions that can never succeed
Game becoming functionally broken
Loss of player trust and engagement

Tools Used

Manual Review

Recommendations

Add a lower bound check to the setEggFindThreshold function:

function setEggFindThreshold(uint256 newThreshold) external onlyOwner {

require(newThreshold > 0, "Threshold must be > 0");

require(newThreshold <= 100, "Threshold must be <= 100");

eggFindThreshold = newThreshold;

}

Updates

Lead Judging Commences

m3dython Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.