Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Front-Running in Egg Search

willubedaone

Summary

The EggHuntGame contract is vulnerable to front-running due to its reliance on predictable pseudo-randomness in the searchForEgg() function. An attacker can observe a successful transaction in the mempool and submit a similar transaction with guaranteed success in the same block. This undermines the fairness and integrity of the game.

Vulnerability Details

The core of the issue lies in how randomness is generated to determine whether a player successfully finds an egg:

uint256 random = uint256(

keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter))

) % 100;

All inputs used in the keccak256 hash are either publicly available or easily guessable at the time of transaction submission:

block.timestamp: predictable within the same block
block.prevrandao: constant for a block
msg.sender: attacker can control this
eggCounter: public state variable

This allows a malicious actor to mimic the exact conditions of a pending successful transaction and submit their own transaction in the same block to also find an egg — effectively front-running the original player.

PoC

Add this code to EggHuntGameTest.t.sol

function testFrontRunningInSearchForEgg() public {

// Lock the block timestamp before game starts

vm.warp(1000);

game.startGame(600); // Set game duration

game.setEggFindThreshold(100); // Always succeed for test

// Alice submits a successful search

vm.prank(alice);

game.searchForEgg();

// Bob observes and copies it within the same block

vm.prank(bob);

game.searchForEgg();

// Both get eggs despite the game being chance-based

assertEq(nft.balanceOf(alice), 1, "Alice should get an egg");

assertEq(nft.balanceOf(bob), 1, "Bob should get an egg via frontrunning");

assertEq(game.eggCounter(), 2, "Total egg count should be 2");

}

Output:

[PASS] testFrontRunningInSearchForEgg() (gas: 277092)

Impact

Enables bots and malicious actors to guarantee egg mints by replicating pending successful transactions

Compromises the randomness and fairness of the game
Can lead to artificial inflation of egg count and undermine trust in the system
Creates an uneven playing field that favors technically advanced users or attackers

Tools Used

Foundry

Recommendations

Use secure randomness sources, such as:
- Chainlink VRF
- RNG from an oracle
Alternatively, implement a commit-reveal scheme where users commit a guess and reveal it later to prevent prediction.
Avoid using block.timestamp, block.prevrandao, or any other miner-controlled or publicly predictable values for randomness in game logic.
Consider adding a delay or batching mechanism to limit back-to-back identical function calls.

Updates

Lead Judging Commences

m3dython Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Insecure Randomness

Insecure methods to generate pseudo-random numbers

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.