Submission Details
Severity:
The method used to generate randomness (block.timestamp and msg.sender) is not secure and can be manipulated
Summary
The method used to generate randomness (block.timestamp and msg.sender) is not secure and can be manipulated.
Vulnerability Details
This approach attempts to generate a random number based on:
block.timestamp: The current block's timestamp.
msg.sender: The address of the caller (who initiated the transaction).
Vulnerabilities:
block.timestamp Manipulation:
The timestamp is set by the miner of the block. Although it needs to be within a certain range of the previous block's timestamp to avoid major deviations, miners still have some flexibility to influence it within that window.
A miner could slightly adjust the timestamp to favor an outcome that benefits them.
Predictability of msg.sender:
msg.sender is simply the address of the caller. It can easily be controlled by anyone interacting with the contract, which makes it predictable.
If someone is trying to manipulate the outcome of this randomness, they could repeatedly call the function from different addresses (or accounts) until they get the desired result.
Low Entropy:
The combination of block.timestamp and msg.sender provides very little entropy. Since both of these values are predictable, the resulting "random" number is also predictable.
Findings
Impact
Attackers can simulate the possible outcomes off-chain, making it easy to predict or manipulate the "random" value.
Tools Used
Manual analysis
Recommendations
Consider using Chainlink VRF (Verifiable Random Function) for secure randomness.
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.