Use of pseudo-random number in `EggHuntGame::searchForEgg()` allows anyone to mint an egg easily by pre-determining the "random" number
Summary
In the function EggHuntGame::searchForEgg(), very deterministic variables are used to generate a "random" number, because of which the number can be guessed and an egg can be minted easily.
Vulnerability Details
A pseudo-random number is generated in the function EggHuntGame::searchForEgg() to decide if the caller can mint an egg NFT. But to prepare this number, these variables are being used:
block.timestamp
block.prevrandao
msg.sender
eggCounter
As these all four variables are very deterministic, this system can be exploited by someone in this way:
Create a blockchain monitoring script. Get the
pendingblock and calculate therandomnumber using the same formula as used in theEggHuntGamecontract (web3.js::keccak256()can be used to calculate keccak256 hash).When a favorable number is found, send the blockchain transaction for
EggHuntGame::searchForEgg().
Impact
Allows someone to bypass the "random luck" logic of the game and mint an egg NFT.
Tools Used
Manual review
Recommendations
Use a trusted oracle for generating a random number, e.g. Chainlink's VRF.
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.