Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Game disruption risk - owner can change gameContract mid-game

igorwarkocz

Summary

The contract owner can change the gameContract address at any time, including during an active game, without any validation. This can break in-progress gameplay interactions, such as minting found eggs.

Vulnerability Details

The setGameContract() function lacks a check to ensure the game is not currently active (gameActive). If changed mid-game, any players relying on the previous game contract logic may encounter errors or failed operations.

For example, users might find eggs through gameplay, but the minting or reward logic may no longer function if it's tied to the old contract address.

function setGameContract(address _gameContract) external onlyOwner {
require(_gameContract != address(0), "Invalid game contract address");
// Add gameActive check
gameContract = _gameContract;
}

Impact

Loss of Progress - Players may lose their ability to mint eggs if the contract is changed during gameplay.

Tools Used

Manual review

Recommendations

Add requirement for gameActive variable

Updates

Lead Judging Commences

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

State corruption

Changing the NFT contract address doesn't update the storedEggs and eggDepositors mappings

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.