Usage on miner-influenced values in random number generation may result in winner selection being predictable
Summary
Usage on miner-influenced values in random number generation may result in winner selection being predictable. This would lead to some raffle entrants having an unfair advantage and eliminating the integrity of the raffle.
Vulnerability Details
The lines referenced in the relevant GitHub links use blockchain.timestamp and blockchain.difficulty to generate randomness in the selection of a raffle winner and also the selection of which NFT the winner receives. These values should not be used because miners could potentially influence them and therefore be able to predict outcomes.
Impact
High in likelihood to be exploited and in impact to the protocol. Impact to the protocol would be devastating as raffle entrants would avoid entering as it would become known that selecting winners is not sufficiently random.
Tools Used
Visual Studio Code
Slither
Recommendations
Use an external provider of randomness, such as a Chainlink VRF.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.