clesaege
commented
2 months ago The transaction hash just needs to be unique. It doesn't need to be random nor unpredictable.
Open hats-bug-reporter[bot] opened 2 months ago
clesaege
commented
2 months ago The transaction hash just needs to be unique. It doesn't need to be random nor unpredictable.
Github username: -- Twitter username: itsabinashb Submission hash (on-chain): 0x4c2b94e0b6989e3e42945c99ab7783f130af9fd5ce47d617f7e37be04e6461d7 Severity: high
Description: Description\ The use of keccak256 hash functions on predictable values like block.timestamp, block.number, or similar data, including modulo operations on these values, should be avoided for generating randomness, as they are easily predictable and manipulable. The
PREVRANDAOopcode also should not be used as a source of randomness. Instead, utilize Chainlink VRF for cryptographically secure and provably random values to ensure protocol integrity.The severity is high because - Transfer hash must be unique.
Attack Scenario\
Attachments
Proof of Concept (PoC) File https://github.com/hats-finance/Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0/blob/07f6529954291f79b3c690881004f306da97759f/contracts/CrossChainProofOfHumanity.sol#L267-L270
Revised Code File (Optional)