Insecure source of randomness in `PuppyRaffle` contract
Summary
The selectWinner() function in the PuppyRaffle contract uses block.timestamp and block.difficulty to calculate a random winner. These variables are public and can be manipulated by miners, so this is not a true source of randomness.
Vulnerability Details
An attacker could manipulate the block.timestamp and block.difficulty variables to ensure that they are selected as the winner. For example, an attacker could mine a block with a timestamp that is slightly ahead of the current time and a difficulty that is slightly lower than the current difficulty. This would increase the attacker's chances of being selected as the winner.
Impact
An attacker could use this vulnerability to prevent other users from winning.
Tools Used
Manual analysis
Recommendations
To mitigate this vulnerability,the 1PuppyRaffle contract should use a more secure source of randomness such as Chainlink VRF. Chainlink VRF is a decentralized oracle service that provides provably random numbers.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.