Insecure randomness used in EgssHuntGame.sol
Summary
The EggHuntGame.sol contract uses keccak256 with predictable inputs to generate random values. This approach is insecure on public blockchains, especially in game logic where fair randomness is critical.
Vulnerability Details
This method of generating randomness is deterministic and can be influenced or predicted by miners or users. Since block.timestamp and msg.sender are known or partially controllable values, attackers can game the system to gain an unfair advantage during prize distribution or gameplay.
Impact
Attackers may predict or manipulate the outcome of random events.
Players can gain unfair advantages, compromising the fairness and integrity of the game.
This undermines trust in the game’s outcomes and opens up potential economic exploits.
Tools Used
Manual code inspection
Solidity anti-pattern identification
Recommendations
Replace the current randomness logic with Chainlink VRF or a similar verifiable randomness solution.
Avoid using block.timestamp, blockhash, or msg.sender alone in any randomness logic.
Lead Judging Commences
Insecure Randomness
Insecure methods to generate pseudo-random numbers
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.