The drawCard
function uses a weak pseudo-random number generator based on block.timestamp
, msg.sender
, and block.prevrandao
.
The random number generation relies on values that are predictable and manipulable, such as the block timestamp and block.prevrandao
. These can be influenced by miners or players, making the randomness insufficient for secure gameplay.
The predictability of the random number generation allows attackers or miners to influence the card draws, undermining the fairness of the game.
Manual Code Review
Use a verifiable random function (VRF), such as Chainlink VRF, for secure and tamper-proof randomness to ensure fairness in card selection.
Randomness Manipulation: The randomness mechanism relies on block.timestamp, msg.sender, and block.prevrandao, which may be predictable in certain scenarios. Consider using Chainlink VRF or another oracle for more secure randomness.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.