Description
A 10 minute check turns up a couple major issues. First, the random function relies only on the following numbers:
- A custom integer used as a random factor, hardcoded into the contract.
- The prior block's hash.
- The length of the list of eligible donkeys This random number is used to choose which of the donkeys is paid out. Ethereum blocks come about every 45 seconds; therefore, there is plenty of time for an attacker to calculate out if they would be the paid-out donkey and only trigger the contract with a payment if they are the recipient.
This qualifies as a severe bug to my mind. It is not mitigated by the contract's popularity -- more people playing increase your chances of being lucky -- but when the contract is not used often, there is a guaranteed way to prod it and get paid out.
Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:H/AI:N
Original source
https://etherscan.io/address/0xbA6284cA128d72B25f1353FadD06Aa145D9095Af#code