Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

weak randomness

Summary

in the treat and trick function there is a randomness that is weak and can be guesssed

Vulnerability Details

https://github.com/Cyfrin/2024-10-trick-or-treat/blob/main/src/TrickOrTreat.sol#L48

The randomness generated using block.timestamp, msg.sender, nextTokenId, and block.prevrandao is not secure. Anyone can predict the outcome of the keccak256 hash because they can see the block timestamp and other parameters

Impact

users could predict the random number to always be 1, so they can get a treat

Tools Used

manual

Recommendations

Consider using a decentralized randomness oracle like Chainlink VRF (Verifiable Random Function).

Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] Weak randomness

It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.