Predictable Randomness Can Be Exploited
Summary
The random number generation in the openBox() function is based on block.timestamp and msg.sender, which are predictable. This can allow an attacker to manipulate the randomness to consistently win valuable rewards.
Vulnerability Details
The contract uses the following logic to generate a random value:
Both block.timestamp and msg.sender are predictable and can be influenced by miners or attackers. An attacker can manipulate these values to predict or control the outcome of the randomness, allowing them to obtain more valuable rewards unfairly.
Impact
An attacker could game the system to maximize their chances of winning high-value rewards, such as Silver or Gold Coins, at the expense of other users. Over time, this could drain the contract’s valuable rewards and damage its reputation.
Tools Used
Manual code review
Recommendations
Use a more secure randomness mechanism, such as Chainlink VRF (Verifiable Random Function), which provides a secure and verifiable source of randomness.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.