search

Cyfrin / aderyn

Aderyn 🦜 Rust-based Solidity AST analyzer.
GNU General Public License v2.0
330 stars 49 forks source link

High detector: weak randomness #326

Open TilakMaddy opened 3 months ago

TilakMaddy commented 3 months ago

The keccak256 hash of a combination of predictable values like block.timestamp, block.number, or any values, should not be accepted as random. Relying on it could harm the protocol. Rather we should use something like Chainlink VRF which gives access to mathematically proven random values on chain.

alexroan commented 2 months ago

I think this should be high!

DavidDrob commented 2 days ago

Hey, could you assign me this issue?

My plan would be to check for

  1. usage of prevrandao
  2. modulo operations on block.timestamp or block.number
  3. hashing block.timestamp or block.number
alexroan commented 1 day ago

Hey, could you assign me this issue?

My plan would be to check for

  1. usage of prevrandao
  2. modulo operations on block.timestamp or block.numer
  3. hashing block.timestamp or block.numer

Done @DavidDrob ! :)

If you need any help, please tag me here or on an open PR. A useful starting test case:


contract WeakRandomness {
    function getRandomNumber() external view returns (uint256) {
        uint256 randomNumber = uint256(keccak256(abi.encodePacked(msg.sender, block.prevrandao, block.timestamp)));
        return randomNumber;
    }
}