The random() function of the smart contract implementation for CryptoSaga, an Ethereum game, generates a random value with publicly…
mitre·CWE-338·Published 2018-09-24
The random() function of the smart contract implementation for CryptoSaga, an Ethereum game, generates a random value with publicly readable variables such as timestamp, the current block's blockhash, and a private variable (which can be read with a getStorageAt call). Therefore, attackers can precompute the random number and manipulate the game (e.g., get powerful characters or get critical damages).
The random() function of the smart contract implementation for CryptoSaga, an Ethereum game, generates a random value with publicly readable variables such as timestamp, the current block's blockhash, and a private variable (which can be read with a getStorageAt call). Therefore, attackers can precompute the random number and manipulate the game (e.g., get powerful characters or get critical damages).
La función random() de una implementación de contrato inteligente de CryptoSaga, un juego de Ethereum, genera un valor aleatorio con variables legibles globalmente como la marca de tiempo, el hash del bloque actual y una variable privada (que se puede leer con una llamada getStorageAt). Por lo tanto, los atacantes pueden precalcular el número aleatorio y manipular el juego (p.ej., obtener personajes poderosos o conseguir proporcionar daño crítico).
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| 3.0 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |