Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

[EVMN] On-chain Random Generator In Use

Summary

The contract generates a random value from on-chain information which is manipulatable.

Vulnerability Details

The code on lines 56-57 generates a random value from a set of on-chain data. This method is known to be unsafe. A user can guess the random value before executing function trickOrTreat() to make the result favourable to the user.
This means that the user's chance to get a treat (an NFT for half the price) is much more than 1/1000.

Impact

A user can mint an NFT for half the price with a much higher probability.

Tools Used

Manual review.

Recommendations

Consider using a more secure random generator method, for example by querying from a VRF provider.

Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] Weak randomness

It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.