Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Use of Weak RNG in `MysteryBox::openBox` Creates Opportunities for Reward Fixing

4rdiii

[H-01] Use of Weak RNG in `MysteryBox::openBox` Creates Opportunities for Reward Fixing

Summary

The randomValue used to determine the Mystery Box reward is generated as a hash of block.timestamp and msg.sender. This allows users to manipulate the function call timing to ensure they receive one of the rare rewards, making the randomness scheme ineffective.

Vulnerability Details

Below is the implementation of the openBox function:

function openBox() public {

require(boxesOwned[msg.sender] > 0, "No boxes to open");

// Generate a random number between 0 and 99

@> uint256 randomValue = uint256(

@> keccak256(abi.encodePacked(block.timestamp, msg.sender))

@> ) % 100;

// Determine the reward based on probability

if (randomValue < 75) {

// 75% chance to get Coal (0-74)

rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));

} else if (randomValue < 95) {

// 20% chance to get Bronze Coin (75-94)

rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));

} else if (randomValue < 99) {

// 4% chance to get Silver Coin (95-98)

rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether)); //@audit should be 0.25 ether, not 0.5 ether

} else {

// 1% chance to get Gold Coin (99)

rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether));

}

boxesOwned[msg.sender] -= 1;

}

The randomValue here uses a weak RNG scheme, which is not recommended for secure randomness generation.

Impact

Users can consistently win the rarest rewards by strategically timing their function calls, compromising the intended randomness.

Tools Used

Manual Review

Recommendations

Implement a provable randomness scheme such as Chainlink VRF to ensure the integrity of the random reward distribution.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak Randomness

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.