Weak Randomness
Summary:
Weak Randomness in SpookySwap::trickOrTreat allows users to influence or predict a trick or treat
Vulnerability Details
Hashing msg.sender, block.timestamp, block.prevrandao together creates a predictable random number. A predictable number is not good number. Malicious users can manipulate these values or know them ahead of the time to choose how to predict trick or treat themselves.
Proof of Concepts:
Validators can know ahead of the time the
block.timestampandblock.prevrandaoand use it to predict when / how to participate.Users can mine / manipulate
msg.sendervalue to result in their address being used to generate appropriate treat feature!Project may die down soon, because of lack of liquidity.
Using on-chain values as randomness seed is a well-documented attack vector in blockchain space.
Impact
Any user can influence the trick or treat feature, minting nfts with twice less money. Making the entire raffle worthless if it becomes a gas war who wants to predict trick or treat. And project may die down soon, because of lack of liquidity.
Tools Used
Manual
Recommendations
Consider using a cryptographically provable random number generator such as ChainLink VRF.
Appeal created
[invalid] Weak randomness
It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.