On-chain randomness can be exploited
Summary
The searchForEgg function in EggHuntGame.sol uses Pseudo-random number generation to get a random number. Which can be manipulated.
Vulnerability Details
Pseudo-random number generation can be manipulated easily by a malicious miner or validator. They can slightly tweak values like block.timestamp and block.prevrandao is easily predictable by them to favor certain outcomes. Also the Pseudo-random number generation uses msg.sender as a value. The msg.sender can spam call the function until they get an eggNFT.
Impact
A malicious miner or validator can tweak values like block.timestamp and predict block.prevrandao. They can see what timestamp causes if (random < eggFindThreshold) to return true, which if it does you get an eggNFT. They can choose to mine a block with the timestamp that triggers the out come they want (which is them getting an eggNFT). Also a msg.sender can make multiple wallets and call searchForEgg until they get a eggNFT. This is due to the fact that Pseudo-random number generation uses msg.sender as a value.
Tools Used
Manual Review
Recommendations
Use a decentralized oracle network for randomness such as Chainlink VRF.
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.