Missing Time Check in endGame() Allows Premature Termination of the Game
Summary
The endGame() function in the EggHuntGame contract can be called by the owner at any time, without checking whether the game duration has elapsed. This allows the owner to end the game prematurely, potentially disrupting fair gameplay or user expectations.
While it may be intentional to allow administrative control, the lack of a time check means there is no enforcement of the game's advertised rules e.g., “the game lasts 150 seconds.” If there is ever a need to allow early termination, it should be done through a separate function, clearly labeled as such, to avoid misuse or miscommunication.
Vulnerability Details
The current function:
does not check if block.timestamp >= endTime
This violates the assumption that startGame(duration) guarantees a game window of duration seconds.
Impact
Gameplay disruption: Users may be mid-game and suddenly find the game ended with no chance to win.
Confusing user experience: Frontends or players expecting a 150-second window may be misled.
the owner could call the
endGamefunction thinking the duration has already been passed while the game is still going.
Tools Used
manua code review
Recommendations
split the endGame() in to 2 functions, so that the owner clearly knows what he is doing.
Lead Judging Commences
Trusted Owner
Owner is trusted and is not expected to interact in ways that would compromise security
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.