Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: high
Valid

Manipulation of Random Number Generation in selectWinner Function

Summary

The selectWinner function in the provided code is vulnerable to manipulation by validators, allowing them to win the raffle by influencing the random number generation (RNG) mechanism.

Vulnerability Details

The vulnerability arises from the use of a simple RNG mechanism in the selectWinner function. The winner is selected based on the result of uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;. However, this method of RNG is easily predictable and can be manipulated by validators.

Impact

The impact of this vulnerability is that validators or miners who can manipulate the RNG can win the raffle by influencing the outcome of the random number generation. This undermines the fairness and integrity of the raffle, as it allows for potential manipulation and abuse of the selection process.

Tools Used

Manual review.

Recommendations

To improve the security and fairness of the raffle, consider implementing the following recommendations:

  1. Utilize a more secure and unpredictable RNG mechanism, such as using a trusted external random number oracle.

  2. Avoid relying solely on block-related information, such as block.timestamp and block.difficulty, for RNG purposes, as they can be manipulated by validators.

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.