Bad Randomness
Summary
Bad Randomness
Vulnerability Details
All transactions on the Ethereum blockchain are public and queryable. When writing contracts using random numbers, failure to consider this feature may lead to vulnerabilities that malicious users can exploit for their advantage.
The 'winnerIndex' is generated by calculating keccak256 hash using msg.sender, block.timestamp, and block.difficulty.
You can refer to DASP TOP's documentation for more details about bad Randomness.
Impact
The winner can be predicted and controlled.
Tools Used
Recommendations
You might consider using Chainlink VRF.
Chainlink VRF (Verifiable Random Function) is a provably fair and verifiable random number generator (RNG) that enables smart contracts to access random values without compromising security or usability. For each request, Chainlink VRF generates one or more random values and cryptographic proof of how those values were determined. The proof is published and verified on-chain before any consuming applications can use it. This process ensures that results cannot be tampered with or manipulated by any single entity including oracle operators, miners, users, or smart contract developers.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.