Eggstravaganza

Vulnerability Details

The core game mechanic relies on pseudo random number generation using keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter)) % 100. This method is insecure for blockchain applications because the inputs are predictable or influenceable. block.timestamp Can be manipulated slightly by miners/validators. block.prevrandao Influenceable by miners/validators, although less predictable than blockhash.

The attack scenario is as follows: An attacker (especially a miner/validator) could potentially predict or influence the outcome of the "random" number generation. They could time their transactions or manipulate block properties to significantly increase their probability of the random < eggFindThreshold check passing, allowing them to find eggs more often than statistically expected, potentially guaranteeing finds under certain conditions.

Impact

Undermines the fairness and integrity of the game. Allows players to gain an unfair advantage, potentially breaking the game's intended mechanics and economy.

Recommendations

Resolve egg finds in a future block, making prediction harder or players commit a value first, and randomness is revealed later, preventing manipulation.