Submission Details
Severity:
Threshold can be change anytime weather the game is active or not.
Description
`EggHuntGame::setEggFindThreshold` function sets the percentage threshold to find or hunt the egg nft. nut the threshold can be changed anytime, like weather the game is ongoing or not. there is no checks for the game activity, due to this owner can change the threshold value at the time when game is ongoing.
Impact
The owner can change threshold in beetween game lead to harm protocol, And few of participants can not get the nft.
Proof of Concept
Add this test into `EggHuntGameTest.t.sol` file.
```javascript
function testSetEggFindThresholdCanBeVhangeAnyTime() public {
assertEq(game.eggFindThreshold(), 20);
game.startGame(1 hours);
game.setEggFindThreshold(10);
assertEq(game.eggFindThreshold(), 10);
game.endGame();
}
```
Recommendations
Protocol should implement the check weather the game is active or not. If the game is active no one must allowed to change the value of threshold.
Add this check into `setEggFindThreshold` function.
```diff
function setEggFindThreshold(uint256 newThreshold) external onlyOwner {
+ require(gameActive, "Game is active");
require(newThreshold <= 100, "Threshold must be <= 100");
eggFindThreshold = newThreshold;
}
```
If the game is active then the function will revert as `Game is active` error.
Updates
Lead Judging Commences
m3dython 4 months ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
Trusted Owner
Owner is trusted and is not expected to interact in ways that would compromise security
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.