Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[H-2]: Weak randomness in `MysteryBox::openBox` allows users to predict or influence the random value and influence the winnings amount

awacs

Summary

Hashing block.timestamt and msg.sender together is creating a predictable final number that malicious users may manipulate or know them ahead of time. Both values are known and hashing them creates an output that can be known in advance.

Vulnerability Details

Any user can influence the rarity of the coin they receive. This can damage the protocol as the funds allocated for winnings may quickly run dry.

Proof-of-Concept

Validators know ahead of time the block.timestamp and know the msg.sender value that will be used to generate the MysteryBox::openBox randomValue variable.
Users can mine or manipulate their msg.sender so the result gives a desired value to get the largest winnings
Users can also revert their transaction if they do not like the winnings

Tools Used

Static analysis

Recommendations

Consider using a cryptographically provable random number generator such as Chainlink VRF.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak Randomness

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.