Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Premature Game Termination Risk in EggHuntGame Contract

edoscoba

Summary

The EggHuntGame contract owner has unrestricted ability to end the game at any time via the endGame() function, regardless of the predefined game duration. This centralized control allows the owner to arbitrarily terminate gameplay before the scheduled end time, potentially disrupting player expectations and compromising game fairness. The lack of constraints on this critical function introduces opportunity for manipulation and undermines trust in the game system.

Vulnerability Details

The vulnerable function is found in the EggHuntGame contract:

/// @notice Ends the egg hunt game.

function endGame() external onlyOwner {

require(gameActive, "Game not active");

gameActive = false;

emit GameEnded(block.timestamp);

}

This function allows the owner to end the game at any time, subject only to the condition that the game is currently active. The function:

Does not check whether the game's natural end time (endTime) has been reached
Provides no justification or extraordinary circumstances required to end early
Offers players no compensation mechanism if the game ends earlier than promised

Impact

This vulnerability has several significant impacts:

Trust Violation: Players engage with the game under the assumption of a fixed duration, but this can be arbitrarily shortened without their consent.
Competitive Fairness Issues: Premature termination can unfairly advantage certain players who were able to find eggs early, while disadvantaging others who may have planned their participation strategy around the full duration.
Economic Manipulation: In a game with valuable NFT rewards, the owner could monitor the distribution of eggs and end the game when a particular threshold or pattern is reached, manipulating the scarcity and potential value of the eggs.
Player Experience Degradation: Suddenly ending a game creates frustration and disappointment for active players, potentially harming the platform's reputation.
Resource Waste: Players may invest time and gas fees into participation strategies that become worthless if the game ends prematurely.

Tools Used

Manual Review

Recommendations

Time-Based Restrictions: Only allow early termination within a reasonable window of the scheduled end time:

function endGame() external onlyOwner {

require(gameActive, "Game not active");

// Only allow early termination if we're close to the end (e.g., within 10% of total duration)

uint256 totalDuration = endTime - startTime;

uint256 minEndTime = endTime - (totalDuration / 10); // 90% of the way through

require(block.timestamp >= minEndTime, "Too early to end game");

gameActive = false;

emit GameEnded(block.timestamp);

}

Updates

Lead Judging Commences

m3dython Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incomplete end game handling

Incorrect values reported when a game is ended early

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.