Mystery Box

Summary

The openBox function of the MysteryBox contract contains a critical vulnerability, which undermines the randomness of prize allocation. The method used to determine prizes based on predictable inputs enables users to anticipate their rewards in advance, allowing them to exploit the game's mechanics.

Vulnerability Details

The openBox function determines the prize that a user will receive by calculating a random value on line 47:

In this line, randomValue is calculated by hashing block.timestamp and the msg.sender address, converting the result to a uint256, and taking the modulo by 100. This method does not generate a truly random number for the following reasons:

1. Predictability: Both block.timestamp and msg.sender are known values; thus, the output can be anticipated by any user before they call the function.

2. Potential for Manipulation: Users can exploit this predictability by calling the openBox function at specific times, or they may choose their msg.sender to influence the output.

Consequently, users can determine the prize they will receive without spending Ether or invoking the function by simply hashing known values. This undermines the fairness of the game's mechanics.

Impact

This vulnerability can lead to significant negative impacts on the integrity of the game. Users may exploit the deterministic behavior of the prize allocation system to maximize their rewards or engage in malicious tactics by anticipating their outcomes.

Tools Used

• Manual review

Recommendations

To enhance the security and randomness of the openBox function, it is recommended to implement Chainlink Verifiable Random Function (VRF). This approach provides a way to generate a secure, verifiable source of randomness that can drastically improve prize allocation fairness. Please refer to the Chainlink VRF documentation for guidance on implementation.