_winningRandomNumber vartiable used in calculating if caller is winner can be read via web3.getStorageAt() and user can predict if he wins or not before hand

Lines of code Vulnerability details Impact the variable winningRandomNumber used in isWinner to calc if caller has won the tier can be read, and the calculation can be predicted. Proof of Concept that a variable is marked internal doesnt mean it cannot be read Tools Used vs code Recommended...

Design/Logic Flaw

The randMod function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a private variable, which can be read with a getStorageAt call. Therefore, attackers can get powerful...