Eggstravaganza

Summary

The searchForEgg() function in the EggHuntGame smart contract uses insecure and predictable sources to generate randomness. This makes the egg-finding mechanism vulnerable to prediction and manipulation, potentially giving attackers an unfair advantage in the game.

Vulnerability Details

Location:

Problem:

The contract attempts to simulate randomness using values like block.timestamp, block.prevrandao, msg.sender, and a public counter. These values are either:

• Predictable by players (like timestamp, sender, counter)

• Manipulatable by miners/validators (e.g. block.timestamp)

An attacker can replicate the hash computation off-chain before calling the searchForEgg() function to determine whether they will find an egg, then submit the transaction only when it's favorable.

💥 Impact

• Fairness Violation: Users with better scripting skills or bots can predict successful egg search attempts and dominate the game.

• Centralization of Rewards: Honest players will lose out to attackers who only play when they know they will win.

• Game Integrity: The core game mechanic is undermined due to this predictability.

🛠️ Tools Used

• Manual source code review

• Off-chain simulation using JavaScript + ethers.js to replicate the randomness

• Understanding of common EVM randomness flaws

🧾 Recommendations

Replace the pseudo-random logic with a secure randomness source:

✅ Option 1: Use Chainlink VRF

Use Chainlink VRF to securely generate randomness that is:

• Tamper-proof

• Unpredictable

• Verifiable

✅ Option 2: Use a Commit-Reveal Scheme

• Players first commit to a secret (hash)

• Later reveal the secret to generate randomness

This method reduces predictability and requires coordination from both players and contracts.

💰 Wallet Address