Submission Details
Severity:
Weak Randomness in `EggHuntGame::searchForEgg` allows players to influence or predict the `EggHuntGame::random` to get lower than the `EggHuntGame::eggFindThreshold` and mint themselves an egg
**Impact:**
The weak randomness undermines the fairness and unpredictability of the game. A user can gain an unfair advantage by timing or manipulating `searchForEgg` to consistently `mintEgg`.
**Proof of Concept:**
1. Validators can know the values of `block.timestamp` and `block.prevrandao` ahead of time. See the [solidity blog on prevrandao](https://soliditydeveloper.com/prevrandao).
2. User can mine/manipulate their `msg.sender` value.
3. The `eggCounter` is public, allowing off-chain simulation of the random value before sending a transaction.
Using on-chain values as a randomness seed is a [well-documented attack vector](https://betterprogramming.pub/how-to-generate-truly-random-numbers-in-solidity-and-blockchain-9ced6472dbdf) in the blockchain space.
**Recommended Mitigation:**
Consider using a cryptographically provable random number generator such as [Chainlink VRF](https://docs.chain.link/vrf)
Updates
Lead Judging Commences
m3dython 4 months ago
Submission Judgement Published Assigned finding tags:
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.