Client seed accepts whitespace, low-entropy values, and has no length or charset bounds
Client seed input lacked length, charset, and entropy bounds, accepting whitespace and trivial values. This undermined the user-influence guarantee and created a low-effort DoS vector through giant or malformed inputs.
Description
The clientSeed field accepted any string, including whitespace-only or single-character values. Length was unbounded and the charset was unrestricted. Trivial seeds undermine the "user influence" property of the provably-fair scheme, since the derived randomness collapses to a predictable space; oversized inputs create a low-effort DoS vector against the hash and storage paths.
Impact
- Provably-fair "user-influence" guarantee weakened.
- DoS surface on session initialization.
- Verification UI may render confusingly when seed is whitespace or contains control characters.
Recommendation
Enforce a minimum length and a hex or base58 charset on clientSeed. Cap maximum length to a small constant. Reject whitespace-only seeds. Normalize seeds before hashing so identical-looking inputs collide deterministically.
Fair Casino: Fixed. Zealynx: Verified.