First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak random number can be manipulated

aballok

Summary

Weak Source of Randomness

Vulnerability Details

The randomness used is insecure ways of generating randomness due to deterministic nature of the blockchain especially the one that uses block.timestamp easily playable and influenced by miners

uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Impact

If resorting to latests versions Solidity since Proof Of Stae block.difficulty does not make sense anymore can only use e.g block.prevrandao

Randomness can be manipulated by especially miners to ensure the resulting index is their index corresponding to their address. Manipulators can ensure they always win and always get their desired rarity and so make the raffle which is supposed to give everyone fair chances an unfair curve

Tools Used

Manual Analysis

Recommendations

Make use of Chainlink VRF, external sources randomness, RANDAO or any other scheme that cant be manipulate by users or miners to ensure fair outcomes

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!