Vulnerabilities > CVE-2018-12885 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Mycryptochamp
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The randMod() function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a private variable, (which can be read with a getStorageAt call). Therefore, attackers can get powerful champs/items and get rewards.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://etherscan.io/address/0x689FB61845488297dfE7586E5f7956475955d2Dc
- https://etherscan.io/address/0x689FB61845488297dfE7586E5f7956475955d2Dc
- https://etherscan.io/address/0xa44e464b13280340904ffef0a65b8a0033460430
- https://etherscan.io/address/0xa44e464b13280340904ffef0a65b8a0033460430
- https://medium.com/coinmonks/get-legendary-items-by-breaking-pnrg-of-mycyptochamp-an-ethereum-online-game-cve-2018-12855-6e6beb41b8df
- https://medium.com/coinmonks/get-legendary-items-by-breaking-pnrg-of-mycyptochamp-an-ethereum-online-game-cve-2018-12855-6e6beb41b8df