Predictable randomness is used to select Winner in the raffle
Summary
The selectWinner() function in the contract is choosing the winnerIndex using predictable randomness like block.timestamp, block.difficulty which can be manipulated by the validators of the block gives them the chance to win the raffle.
Vulnerability Details
This winnerIndex is calculate using the global variables in the above mentioned code which gives an advantage to the block validator to win the raffle.
Impact
The validator can enter the raffle and can manipulate the global variables to their advantage while choosing the winner of the raffle.
Tools Used
Recommendations
Use Off chain data to get random number like chainlinkVRF which gives verifiably random numbers can be used in the contract by importing import {VRFCoordinatorV2Interface} from "@chainlink/contracts/src/v0.8/interfaces/VRFCoordinatorV2Interface.sol" chainlink VRF contract in this contract and utilize in this contract by calling requestRandomWords() function.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.