Using pseudo-random calculations in a blockchain smart contract is unreliable
Summary
Using pseudo-random calculations "keccak256(abi.encodePacked())" in a blockchain smart contract is considered unreliable and potentially vulnerable to frontrun attacks.
Vulnerability Details
The code in your smart contract calculates the winnerIndex by using a combination of msg.sender, block.timestamp, and block.difficulty to generate a pseudo-random value. This pseudo-random value is then used to select a winner from the list of players. However, this approach can be exploited by malicious actors who can control or influence the outcome of the lottery. For example, the determination of a lottery winner can be manipulated by attackers if they call the "selectWinner" function at a strategically calculated moment, making themselves the winners.
Impact
Blockchain-based pseudo-randomness is not truly random, as it relies on deterministic inputs (blockchain data), and attackers can analyze these inputs to predict outcomes or manipulate results. This can undermine the fairness and integrity of the lottery or any other application relying on pseudo-randomness.
Tools Used
manual review
Recommendations
Recommended to use an external source of randomness, instead of keccak256: External Oracle, Chainlink VRF, Off-Chain Randomness.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.