TwentyOne

First Flight #29

Beginner FriendlyGameFiFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

block.prevrandao Can Be Used Only From Solidity Version 0.8.18

koinerdegen

Summary:
The `block.prevrandao` property, introduced in Solidity 0.8.18, allows contracts to access the randomness value derived from the previous block in the Ethereum Proof-of-Stake consensus mechanism. This feature is unavailable in versions earlier than 0.8.18.

In the provided code from TwentyOne.sol, the pragma directive specifies pragma solidity ^0.8.13;. Since ^0.8.13allows versions ranging from 0.8.13 to less than 0.9.0, it cannot utilize the block.prevrandao property. Using this code with versions less than 0.8.18 will result in compilation errors.

Vulnerability Details

Root Cause
The block.prevrandao property is not supported in Solidity versions earlier than 0.8.18. If the compiler version is set to a lower version, any attempt to access this property will result in a compilation error.
Affected Code
The following pragma directive in TwentyOne.sol is insufficient to guarantee compatibility with block.prevrandao:

pragma solidity ^0.8.13;

Behavior

In Solidity versions prior to 0.8.18, using block.prevrandao will throw a compilation error:

Error: Member "prevrandao" not found or not visible after argument-dependent lookup in struct Block.

In Solidity 0.8.18 and above, block.prevrandao functions as expected.

Error of compiler with 0.8.13

Error: Compiler run failed:

Error (9582): Member "prevrandao" not found or not visible after argument-dependent lookup in block.

--> src/TwentyOne.sol:77:63:

77 | abi.encodePacked(block.timestamp, msg.sender, block.prevrandao)

| ^^^^^^^^^^^^^^^^

Impact:

Using a Solidity version earlier than 0.8.18 with block.prevrandao will prevent the contract from compiling. This issue can result in:

Delays in development or deployment.
Misalignment with the intended Ethereum Proof-of-Stake mechanism.
Potential developer oversight leading to functionality not working as expected.

Tools Used:

Static Analysis: Verified Solidity version in TwentyOne.sol with a code review.
Solidity Documentation: Referred to the official Solidity documentation.
Testing Environment: Foundry

Recommendations:

Update the Pragma Directive
Update the Solidity pragma directive in TwentyOne.sol to ensure compatibility with block.prevrandao. Replace the following line:

pragma solidity ^0.8.13;
With:

pragma solidity ^0.8.18;
Explicit Version Locking (Optional)
To avoid version conflicts in environments with multiple compiler versions, use an explicit version instead of a range:

pragma solidity 0.8.18;
Backward Compatibility Considerations
If block.prevrandao is not strictly required, and you need backward compatibility with older versions, consider using alternative logic. Note that alternatives (e.g., blockhash) may not offer secure randomness and are not suitable in all contexts.
Testing
Recompile and redeploy the contract using Solidity 0.8.18 or later. Confirm that the usage of block.prevrandaobehaves as expected.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`block.prevrandao` usage fails with pragmas below 0.8.18

Rewards breakdown

nSLOC

147

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.