The openBox
function is in charge of determining the reward that the user receives upon opening the box they bought. It does that but calculating a random number and depending on that number is the reward that the user gets. However, determining the random number on chain is not possible like such. Hashing the `block.timestamp` and the address of (msg.sender) will create a predictable number on-chain.
- Malicious users can manipulate those values, or know what they will be, helping them choose a user the win.
- This also lets users front-run and requesting a refund if they are not the winner.
Manual Review
Consider using a cryptographically provable random number generator such as Chainlink VRF.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.