Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Cross-Chain Incompatibility with `block.prevrandao`

lazyrams

Summary

The contract uses block.prevrandao for randomness, which is unsupported on many Ethereum-compatible chains (L1/L2), causing reverts or insecure fallback behavior.

Vulnerability Details

Location: EggHuntGame.sol, searchForEgg() function
Code Snippet:

uint256 random = uint256(
keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender, eggCounter))
) % 100;

Issue:

  • block.prevrandao was introduced in Ethereum’s Paris upgrade (post-Merge) and is not supported on:

    • Proof-of-Work Chains: BSC, Avalanche C-Chain, Polygon PoS (use block.difficulty).

    • Certain L2s: zkSync Era, StarkNet (use custom RNG).

  • On unsupported chains, block.prevrandao returns 0 or causes undefined behavior, breaking the RNG logic.

Impact

  • Broken Functionality: searchForEgg() will revert or produce predictable/invalid randomness on unsupported chains.

  • Deployment Limitations: Contract cannot be deployed cross-chain without modification.

  • Game Integrity Risk: Predictable RNG enables exploitation on affected chains.

Tools Used

  • Manual Code Review

Recommendations

  • Implement Chainlink VRF for universally compatible, secure randomness.

Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.