function generateOrderId isn't a solid way to get random number

Summary

The function generateOrderId here use keccak256 to generate a random and unique id for order. While the keccak256 of encoding sender and block.timestamp is not solid.

Root Cause

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/AutomationMaster.sol#L90-L95 Here the function use keccak256(abi.encodePacked(sender, block.timestamp)) to generate id for order while this way can't guarantee the result is random and unique for this is a pseudo-random number. https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L476-L493 The existingOrderId isn't solid. It can guarantee the new id is unique and it may affect the existed order with the same id.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The existed order may be override and funds in it is lost.

PoC

No response

Mitigation

No response

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

044.md

044.md

function generateOrderId isn't a solid way to get random number

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

044.md

Latest commit

History

044.md

File metadata and controls

function generateOrderId isn't a solid way to get random number

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation