Predictable Winner
Summary
Generating random numbers lacks true randomness and is predictable.
Attackers can exploit this predictability until they become the winner, enabling them to retrieve the winner NFT.
Vulnerability Details
Generating random numbers lacks true randomness and is predictable.
As a result, attackers can reproduce the random number generation process and execute the selectWinner function multiple times until they successfully win the NFT prize.
The predictability of the random number generation mechanism undermines the security of the system.
Impact
-
Unfair Selecting Winner: Attackers can manipulate the process to predictably win the NFT prize, potentially depriving legitimate participants of their fair chance to win.
-
Loss of Trust: The predictability of the random number generation mechanism decrease trust in the fairness of the selection process in the project.
Example Attack Code
Here: https://gist.github.com/filmptz/489c6770dc1e0b5a20d0490c2dc95512#file-attack-sol-winner
Tools Used
VS Code: Manual
Recommendations
Do not use on-chain data to generate the random numbers I recommend implementing an off-chain random number generation mechanism using a verifiable source of randomness, such as an oracle or a commit-reveal scheme, to ensure true randomness.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.