Both block.prevrandao and block.timestamp are not reliably source of randonness
Summary
Both block.prevrandao and block.timestamp are not reliable sources of randomness
Vulnerability Details
Here: https://github.com/CodeHawks-Contests/2025-04-eggstravaganza/blob/main/src/EggHuntGame.sol#L71
the code uses block.prevrandao and block.timestamp as sources of randomness to determine who is lucky to win the raffle.
However, both opcodes are not a good source of randomness.
https://eips.ethereum.org/EIPS/eip-4399
Security Considerations
The PREVRANDAO (0x44) opcode in PoS Ethereum (based on the beacon chain RANDAO implementation) is a source of randomness with different properties to the randomness supplied by BLOCKHASH (0x40) or DIFFICULTY (0x44) opcodes in the PoW network.
Biasability
The beacon chain RANDAO implementation gives every block proposer 1 bit of influence power per slot. The proposer may deliberately refuse to propose a block on the opportunity cost of the proposer and transaction fees to prevent beacon chain randomness (a RANDAO mix) from being updated in a particular slot.
Impact
Miner can manipulate the block.prevrandao and block.timestamp to let specific address win
Tools Used
Manual Review
Recommendations
change randon generate method (can use chainlink VRF, etc...)
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.