Normal behavior:
Admin functions should remain accessible to manage the game across multiple rounds, and platform fees should be withdrawable by the owner.
Specific issue:
The contract inherits OpenZeppelin's Ownable
without overriding renounceOwnership()
. This function allows the owner to permanently set ownership to address(0)
, making all onlyOwner
functions permanently inaccessible and locking platform fees forever.
Likelihood:
Owner accidentally calls renounceOwnership()
thinking it's safe.
Compromised owner key used maliciously.
Social engineering attacks targeting the owner.
Impact:
All admin functions become permanently inaccessible.
Game cannot be reset after the first round ends.
Platform fees are locked forever with no recovery mechanism.
Contract becomes a "one-time-use" game that cannot restart.
Users lose access to the game permanently.
The following tests demonstrate the catastrophic impact of calling renounceOwnership()
:
Override renounceOwnership()
to prevent ownership renunciation and protect the contract from being permanently bricked:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.