This function is used in randomWord to obtain a random word of the array wordsList. The problem is that the random
number with a modulus of 100.
So when entering getWord, the if condition will make a wrong random distribution of the wordList where the first
word has twice the probability of being selected than the others and the last word can't be selected.
POC
from hashlib import sha3_256
from random import randbytes
def get_rand():
return int(sha3_256(randbytes(32)).hexdigest(), 16) % 100
if __name__ == "__main__":
rand_distribution = [0] * 100
for _ in range(1_000_000):
rand = get_rand()
if rand == 0:
rand_distribution[rand] += 1
else:
rand_distribution[rand - 1] += 1
print(rand_distribution)
Remediation
Remove the if condition in getWord and return directly the word, it will also cost less gas.
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/XRandoms.sol#L28
Vulnerability details
The
randomWord
method ofrandomPool
contract have a wrong random distribution.Vulnerable Code
Link
Explanation
This function is used in
randomWord
to obtain a random word of the arraywordsList
. The problem is that the random number with a modulus of100
. So when enteringgetWord
, the if condition will make a wrong random distribution of thewordList
where the first word hastwice the probability
of being selected than the others and the last wordcan't be selected
.POC
Remediation
Remove the if condition in
getWord
and return directly the word, it will also cost less gas.Assessed type
Other