Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

`random` variable in `trickOrTreat()` uses block.timestamp and block.prevrandao, which are not good source of randomness

0xlasadie

Summary

The random variable in trickOrTreat() is not truly random as the various parameters such as block.timestamp and block.prevrandao not good source of randomness and can be manipulated by miner/validators. Where miner/validators can allow specific address address to buy NFT at half price.

Vulnerability Details

The random variable in trickOrTreat() is not truly random as the various parameters are predictable or fixed:

  1. block.timestamp: The timestamp is predictable

  2. msg.sender: This value is fixed

  3. nextTokenId: The value of this variable is fixed for a period of time until the next NFT mint happens

  4. block.prevrandao: The value of prevrandao will remain the same until a new block is created in the blockchain

function trickOrTreat(string memory _treatName) public payable nonReentrant {
...
// Generate a pseudo-random number between 1 and 1000
-> uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender, nextTokenId, block.prevrandao))) % 1000 + 1;
...
}

Impact

Miner/validators can manipulate the block.prevrandao and block.timestamp to allow specific address to buy NFT at half price.

Tools Used

Foundry

Recommendations

Change to other randomness methods, such as using Chainlink VRF.

Updates

Appeal created

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] Weak randomness

It's written in the README: "We're aware of the pseudorandom nature of the current implementation. This will be replaced with Chainlink VRF in later builds." This is a known issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.