Weak Source of Randomness
Summary
The code generates a random number using block.timestamp and msg.sender combined with the keccak256 hash function. However, this approach provides weak randomness and can be manipulated, making it unsuitable for secure random number generation in Solidity.
Vulnerability Details
In the current implementation, randomness is generated using block.timestamp and msg.sender, which are predictable and can be influenced by malicious actors, particularly miners. Miners can manipulate the block's timestamp to control the outcome, compromising the randomness of the generated value.
Impact
Using a weak source of randomness in Solidity can result in predictable outcomes, which may lead to vulnerabilities in openBox() functionality, where malicious actors can open most rare boxes.
Tools Used
Manual review
Recommendations
The best practice for secure random number generation in Solidity is to use verifiable randomness from external oracles like Chainlink VRF (Verifiable Random Function). This ensures that the random numbers are unpredictable and tamper-proof. Here's a suggested approach:
Integrate Chainlink VRF for generating secure random numbers.
Avoid using
block.timestamp,msg.sender, or other on-chain parameters as sources of randomness.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.