Challenge: Can you identify what is wrong with this simple Solidity guessing game contract that makes it easy to cheat?

@[email protected] · 1 year ago

Challenge: Can you identify what is wrong with this simple Solidity guessing game contract that makes it easy to cheat?

@[email protected] · 1 year ago

BTW @[email protected] was right. Anyone can view the contract deployment transaction and see the value of secretNumber that was passed as an argument to the constructor.

@[email protected] · 1 year ago

It is definitely a trick question and code intentionally made to be vulnerable to have fun finding what’s wrong and why it is bad practice to do so :)

@Lixen · edit-2 1 year ago

For those that want to have an actual go at it: when deploying it with hardhat for example, you can pass in Math.floor(Math.random()*1000) as the constructor argument in the deploy script, and then see if you can derive the number on the first guess.

@[email protected] · 1 year ago

The formula will return a specific result of uint256 type which will be used in constructor on deployment, right? 😉

@Lixen · 1 year ago

Yeah, this way you don’t know what the number is until you actually figure out the vulnerability.