Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

Randomness Predictability

Summary

The random number generation logic in trickOrTreat() is susceptible to manipulation as it relies on block.timestamp, msg.sender, and block.prevrandao, all of which can be controlled or influenced by miners or users.

Vulnerability Details

  • Function: trickOrTreat()

  • Code Reference:

uint256 random = uint256(keccak256(
abi.encodePacked(block.timestamp, msg.sender, nextTokenId, block.prevrandao)
)) % 1000 + 1;

block.timestamp and block.prevrandao are manipulable by miners, and msg.sender can be controlled by an attacker.

Impact

An attacker could influence the random number generation to always get a treat at half price or avoid paying double.

Tools Used

  • Manual Code Review

Recommendations

Use an external randomness oracle, such as Chainlink VRF, to generate secure and unpredictable random numbers:

// Example integration with Chainlink VRF for secure randomness
function requestRandomness() external returns (bytes32 requestId) {
return requestRandomness(keyHash, fee);
}
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] Weak randomness

It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.