Due to publically available data, attackers can predict the random index number.
The func. drawCard
uses a method to generate random index, which can be exploited due to following reasons:
block.timestamp
is publically available.
msg.sender
might be known incase if the attacker is the sender.
block.prevrandao
aka previous block hash is accessible also the miners can influence the value.
Attackers can predict the random index which increases their winning chance.
Malicious actor such as: miner, can observe the transaction in the mempool, calculate the random number, and attempt to frontrunning attack by submitting their own timing.
Manual Review
Use Chainlink's Verifiable Random Function (VRF)
, which provides cryptographically secure random index.
Randomness Manipulation: The randomness mechanism relies on block.timestamp, msg.sender, and block.prevrandao, which may be predictable in certain scenarios. Consider using Chainlink VRF or another oracle for more secure randomness.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.