Pure random function for random param
Summary
I noticed that you are already aware of this vulnerability, but I feel it's important to address it again. In the function trickOrTreat is rnadom function generator to produced a random param.
This randomparam is crucial for the protocol because its value has impact on price of the treat for the customer.
Vulnerability Details
Using block.timestamp, msg.sender, nextTokenId, and block.prevrandao as seed values for the random function is highly insecure. These values are predictable and can be easily manipulated by validator operators to increase their own profits.
Impact
The attacker can manipulate block.timestamp, msg.sender, nextTokenId, and block.prevrandaoto modify randomparam for half price treat.
Tools Used
manual review
Recommendations
Please implement a more secure VRF (Verifiable Random Function) as soon as possible.
Appeal created
[invalid] Weak randomness
It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.