(L-2) Using sender address and block difficulty as source of randomness for rarity leads to exploitable and weak randomness
Summary
selectWinner function uses randomness made out of only on-chain data pieces. Using on-chain data pieces as only source of randomness leads to exploitable and weak randomness
Details
selectWinner function uses randomness made out of only on-chain data pieces.
This is not a good source of randomness because on-chain data can be modified by multiple parties (e.g. the user, the miners, etc.)
Since this code is visible publicly, anyone (that possesses enough knowledge and power) can modify certain aspects of the transaction to get the outcome they want.
Filename
src/PuppyRaffle.sol
Permalinks
https://github.com/Cyfrin/2023-10-Puppy-Raffle/blob/07399f4d02520a2abf6f462c024842e495ca82e4/src/PuppyRaffle.sol#L139C28-L139C28
Impact
Blocks and transactions can be modified in such a way as to guarantee NFT rarity wanted.
Recommendations
It is recommended to not make randomness dependent on on-chain data pieces such as sender address or block difficulty. Consider generating random numbers by using something like Chainlink VRF instead.
Tools Used
Manual Audit
Foundry
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
weak-randomness
Root cause: bad RNG Impact: manipulate winner
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.