Open TilakMaddy opened 3 months ago
I think this should be high!
Hey, could you assign me this issue?
My plan would be to check for
prevrandao
block.timestamp
or block.number
block.timestamp
or block.number
Hey, could you assign me this issue?
My plan would be to check for
- usage of
prevrandao
- modulo operations on
block.timestamp
orblock.numer
- hashing
block.timestamp
orblock.numer
Done @DavidDrob ! :)
If you need any help, please tag me here or on an open PR. A useful starting test case:
contract WeakRandomness {
function getRandomNumber() external view returns (uint256) {
uint256 randomNumber = uint256(keccak256(abi.encodePacked(msg.sender, block.prevrandao, block.timestamp)));
return randomNumber;
}
}
The
keccak256
hash of a combination of predictable values likeblock.timestamp
,block.number
, or any values, should not be accepted as random. Relying on it could harm the protocol. Rather we should use something like Chainlink VRF which gives access to mathematically proven random values on chain.