in the treat and trick function there is a randomness that is weak and can be guesssed
https://github.com/Cyfrin/2024-10-trick-or-treat/blob/main/src/TrickOrTreat.sol#L48
The randomness generated using block.timestamp
, msg.sender
, nextTokenId
, and block.prevrandao
is not secure. Anyone can predict the outcome of the keccak256
hash because they can see the block timestamp and other parameters
users could predict the random number to always be 1, so they can get a treat
manual
Consider using a decentralized randomness oracle like Chainlink VRF (Verifiable Random Function).
It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.