Weak PRNG in `EggHuntGame::searchForEgg` allows players to manipulate the random number
Description: The EggHuntGame::searchForEgg function uses a weak PRNG method for generating a random number within the threshold. The use of keccak256 hash functions with predictable values like block.timestamp, block.prevrandao, and msg.sender is not a good way to generate random numbers. These values can be manipulated by miners and/or players.
Found in src/EggHuntGame::searchForEgg:
Impact: Users can manipulate the random number in EggHuntGame::searchForEgg so that they will always have a number lower than the eggFindThreshold which will cause them to always find and mint new eggs. There will be no real randomness in this function and the purpose of the game will be defeated. They will "find" as much eggs as they want to.
Recommended Mitigation: Instead of using keccak256 and block data for generating the random number, I would recommend using Chainlink VRF for cryptographically secure and provably random values to ensure protocol integrity.
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.