Random Number Function Vulnerability Affects Fairness of Ethereum Online Game
It emerged that MyCryptoChamp online game smart contract contains controllable random number function, which affects the fairness of the game.
Specifically, the random numbers are generated by the module randMod using private variable called randNonce and block hash. Users can access the value of randNonce through web3.eth.getStorageAt() function, and block hash can be read inside or outside the contract.
Attackers can use the values that are acquired by methods mentioned above to calculate the ultimate ideal ‘random numbers’ and enter the game at this point. The attributes of new champs and items will be generated according to the ideal numbers. This vulnerability realized acquisition of maximum benefits using minimum cost (consumption of gas). Hence the loss of fairness.
According to the official advice of Solidity, developers may use third-party services outside the public chain, such as Oraclize, to realized the calculation of random numbers. Chengdu LianAn Technology admonishes project initiators that smart contract auditing is a crucial process for the security of the project. To prevent huge problems or losses, seeking help from professional third-party auditing teams is recommended when necessary.
For more details, please refer to the original link and analysis by Jonghyuk Song:
About LianAn Technology:
Chengdu LianAn Technology Co. Ltd. is headquartered in Chengdu and focuses on blockchain security field. Founded by Prof. Xia Yang and Prof. Wensheng Guo of UESTC, LianAn Tech’s core team members consist of more than 30 associate professors, postdoctoral students, doctors and masters with experience of studying at overseas leading universities and laboratories (CSDS, Yale, and UCLA) as well as indutry elite from Alibaba Huawei, and other famous enterprises. Using formal verification as its core technology, this team has been providing years of services for security critical systems in aerospace, military and other fields. Chengdu LianAn Technology Co. Ltd. is the one and only company in China that applies this technology to blockchain security field.
Being the only blockchian security company that obtained strategic investment from Fenbushi capital, LianAn Technology has signed strategic cooperation agreements with well-known corporations such as Huobi, OKEX, KuCoin, LBank, CoinMex, Becent, ONT, Scry, CareerOn, IoTeX, DALICHAIN, Bplus, Bytom, Bubi Blockchain, and YUNPHANT. In addition, it has made cooperative agreement with France Inria, the top formal verification team in the world. LianAn Tech was listed on the “2018 China Blockchain Industry White Paper” issued by the Ministry of Industry and Information Technology, and it has also been selected for the smart contract security audit recommendation List.
Let’s Connect
E-mail:vaas@lianantech.com
Official website:https://www.lianantech.com
Twitter: https://twitter.com/LianAnTech_com
Facebook: https://www.facebook.com/LianAnTechChengdu/
Telegram Chinese Group:https://t.me/joinchat/IRgNDA4iCF0Rs92sg5qoVg
Telegram English group: https://t.me/joinchat/IRgNDBBpCon-695ATmbA4w
