Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

The endless search for eggs

nikita10012021

Summary

A player can endlessly mine eggs without letting new players come in and win eggs.

Vulnerability Details

function searchForEgg() external {
require(gameActive, "Game not active");
require(block.timestamp >= startTime, "Game not started yet");
require(block.timestamp <= endTime, "Game ended");

// Pseudo-random number generation (for demonstration purposes only)

uint256 random = uint256(

keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter))

) % 100;

if (random < eggFindThreshold) {

eggCounter++;

eggsFound[msg.sender] += 1;

eggNFT.mintEgg(msg.sender, eggCounter);

emit EggFound(msg.sender, eggCounter, eggsFound[msg.sender]);

}

There is no limit on attempts to find the game's egg. Multiple players mine eggs until the end of the game without letting other players do it and earning all the money.

Impact

This could lead to a loss of demand for the game and attracting new players.

Tools Used

Recommendations

You can limit the number of attempts per player's game or prescribe a delay in the search. Also for convenience you can specify the time left until the next attempt or how many attempts are left.

uint256 public constant SEARCH_DELAY = ....

.....

require( block.timestamp >= lastSearchTime[msg.sender] + SEARCH_DELAY, "We have to wait a little longer" );

lastSearchTime[msg.sender] = block.timestamp;

uint256 public maxSearchAttempts = ...;

require(searchAttempts[msg.sender] < MAX_SEARCH_ATTEMPTS, "Max search attempts reached"); **

searchAttempts[msg.sender] += 1;

Updates

Lead Judging Commences

m3dython Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

No rate limiting

Contract lacks any cooldown mechanism, search limits, or costs in the searchForEgg() function

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.