Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High detector: weak randomness #326

Closed
TilakMaddy opened this issue Apr 12, 2024 · 3 comments · Fixed by #618
Closed

High detector: weak randomness #326

TilakMaddy opened this issue Apr 12, 2024 · 3 comments · Fixed by #618
Assignees
@DavidDrob
Labels
good first issue Good for newcomers priority-low Low priority issue

Comments

@TilakMaddy
Copy link
Collaborator

The keccak256 hash of a combination of predictable values like block.timestamp, block.number, or any values, should not be accepted as random. Relying on it could harm the protocol. Rather we should use something like Chainlink VRF which gives access to mathematically proven random values on chain.
@TilakMaddy TilakMaddy added the hackathon idea An idea for a hackathon submission label Apr 12, 2024
@alexroan
Copy link
Contributor

I think this should be high!

@TilakMaddy TilakMaddy changed the title Low detector: weak randomness High detector: weak randomness May 13, 2024
@alexroan alexroan added priority-low Low priority issue good first issue Good for newcomers and removed hackathon idea An idea for a hackathon submission labels Jun 17, 2024
@DavidDrob
Copy link
Contributor

DavidDrob commented Jul 23, 2024
edited
Loading

Hey, could you assign me this issue?

My plan would be to check for

  1. usage of prevrandao
  2. modulo operations on block.timestamp or block.number
  3. hashing block.timestamp or block.number

@alexroan
Copy link
Contributor

alexroan commented Jul 24, 2024
edited
Loading

Hey, could you assign me this issue?

My plan would be to check for

  1. usage of prevrandao
  2. modulo operations on block.timestamp or block.numer
  3. hashing block.timestamp or block.numer

Done @DavidDrob ! :)

If you need any help, please tag me here or on an open PR.
A useful starting test case:

contract WeakRandomness {
    function getRandomNumber() external view returns (uint256) {
        uint256 randomNumber = uint256(keccak256(abi.encodePacked(msg.sender, block.prevrandao, block.timestamp)));
        return randomNumber;
    }
}

@DavidDrob DavidDrob mentioned this issue Jul 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DavidDrob DavidDrob

Labels
good first issue Good for newcomers priority-low Low priority issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Detector: Weak Randomness DavidDrob/aderyn
3 participants
@alexroan @TilakMaddy @DavidDrob