Insecure Randomness Allows Egg Minting Exploitation
Summary
The EggHuntGame contract’s searchForEgg() function uses insecure on-chain data (block.timestamp and block.prevrandao) to generate pseudo-random numbers. This allows miners, validators, or attackers to predict or manipulate outcomes, making them to unfairly mint unlimited EggstravaganzaNFT tokens.
Vulnerability Details
Vulnerable Function: searchForEgg()
Attack Vector: Exploitation of deterministic randomness generation.
The searchForEgg() function determines whether a player finds an egg using this flawed logic:
uint256 random = uint256(
keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter))
) % 100;
Miners control block.timestamp and block.prevrandao , allowing them to craft favorable values to guarantee successful egg mints.
Impact
Unlimited Egg Minting: Attackers can mint eggs on every attempt, bypassing the set probability threshold.
Economic Collapse: Oversupply of NFTs devalues assets, rendering the game’s reward system meaningless.
Loss of Trust: Players lose confidence in the game’s fairness, leading to abandonment.
Tools Used
Manual Code Review:
Recommendations
Replace on-chain randomness with Chainlink VRF, a cryptographically secure and verifiable randomness solution.
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.