TwentyOne

First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Submission Details
Severity: low
Invalid

Random Index can be Predictable

Summary

Due to publically available data, attackers can predict the random index number.

Vulnerability Details

The func. drawCard uses a method to generate random index, which can be exploited due to following reasons:

  • block.timestamp is publically available.

  • msg.sender might be known incase if the attacker is the sender.

  • block.prevrandao aka previous block hash is accessible also the miners can influence the value.

uint256 randomIndex = uint256(
keccak256(
abi.encodePacked(block.timestamp, msg.sender, block.prevrandao)
))

Impact

  • Attackers can predict the random index which increases their winning chance.

  • Malicious actor such as: miner, can observe the transaction in the mempool, calculate the random number, and attempt to frontrunning attack by submitting their own timing.

Tools Used

Manual Review

Recommendations

Use Chainlink's Verifiable Random Function (VRF), which provides cryptographically secure random index.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[INVALID] Known - Randomness

Randomness Manipulation: The randomness mechanism relies on block.timestamp, msg.sender, and block.prevrandao, which may be predictable in certain scenarios. Consider using Chainlink VRF or another oracle for more secure randomness.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.