Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Misconfigured Access Control for setGameContract

cybervenom

Summary

The setGameContract function allows the owner to assign a new game contract responsible for minting NFTs. However, if ownership is renounced, anyone can take control of minting by setting their own malicious game contract. This can lead to unauthorized NFT creation, significantly compromising the integrity of the smart contract.

Vulnerability Details

function setGameContract(address _gameContract) external onlyOwner {
require(_gameContract != address(0), "Invalid game contract address");
gameContract = _gameContract;
}

  • The function allows the owner to set the game contract without verifying if _gameContract is a trusted smart contract.

  • If renounceOwnership() is called, ownership is lost, making setGameContract accessible to anyone.

Impact

  • An attacker can take over the contract by setting their own contract as gameContract and mint unlimited NFTs.

  • The integrity of the NFT collection is compromised, leading to supply inflation and potential loss of value.

  • If ownership is renounced, there is no way to recover control, permanently exposing the contract to abuse.

Tools Used

Manual Review

Recommendations

  • Deployer should be ownder should be metioned as message.sender

  • Prevent ownership renouncement

Updates

Lead Judging Commences

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.