Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Wrong usage of `block.timestamp` for randomness, resulting to weak randomness

myssteeque

Description

The function MysteryBox::openBox uses block.timestamp as part of the randomness generation mechanism, which results in weak and predictable randomness.However, block.timestamp is a value that can be influenced by miners within a certain range, making the outcome predictable and subject to manipulation, especially when the potential reward outweighs the cost of manipulating the block timestamp.

function openBox() public {
require(boxesOwned[msg.sender] > 0, "No boxes to open");
// Generate a random number between 0 and 99
@>> uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;
// Determine the reward based on probability
:
:
:
}

Impact

The weak randomness generated by block.timestamp could allow attackers or miners to manipulate the results of the openBox function. By adjusting the block's timestamp, miners could increase their chances of getting favorable rewards, while attackers could repeatedly call the function with predictable outcomes, leading to an unfair advantage.

Tools Used

Manual Review

Recommended mitigation

To ensure strong and unpredictable randomness, it is recommended to use a secure randomness generation mechanism, such as Chainlink VRF (Verifiable Random Function). Chainlink VRF provides tamper-proof, verifiable randomness that is immune to manipulation by miners or users.

Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Randomness

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.