Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

THE USE OF WEAK PRNG

viquetoh

Summary:

Pseudo Random Number Generators (PRNG) are used to generate Random Numbers in smart contract. How ever certain source used in this generators can be influenced and Predicted making them "weak."

Vulnerability Details:

function addReward(string memory _name, uint256 _value) public {
require(msg.sender == owner, "Only owner can add rewards");
rewardPool.push(Reward(_name, _value));
}

function buyBox() public payable {
require(msg.value == boxPrice, "Incorrect ETH sent");
boxesOwned[msg.sender] += 1;
}
function openBox() public {
require(boxesOwned[msg.sender] > 0, "No boxes to open");
// Generate a random number between 0 and 99
uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;

Impact:

An attacker who can control the odering of transacton in the his minig block, can call the openBlock()
functon in his own transcation and mine. and when the transaction is reordered within the block, with a specific blockhash (block.blockhas(1000) that ensures a desired outcomewhen 10% is calculated.
By doing this the miner "wins" the game, as He can predict the random value to be predictable.

Tools Used:

aderyn, slither and chatgpt

Recommendations:

The use of chainlink VRF will be a better and more secure option as it provides cryptographical randomness.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Randomness

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!