Back to Vulnerability database

TheRun hack

ID Submit date Publish date Author Score
1 10.25.2018 10.25.2018 10.0

Decription

TheRun uses the current timestamp in order to generate random numbers and award a jackpot based on the result. Similarly, a betting contract may run for a predetermined betting period, after which it considers the bets that have been submitted. The smart contract framework in Ethereum provides the now variable for accessing the time, which is set to the local timestamp of the miner. Unfortunately, this timestamp can be manipulated by a colluding miner. He may adjust the timestamp provided by a few seconds, changing the output of the contract to his benefit. In TheRun, the output of the random number generator can be manipulated, and for the betting contract, the period can be extended or shrunk to affect future transactions. Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:H/AI:N

Component

Smart contract

Platform

Ethereum

Subclass

Entropy Illusion

Original source

https://etherscan.io/address/0xcac337492149bdb66b088bf5914bedfbf78ccc18

Comments