selectWinner is not verifiably random when selecting a winner - results can be manipulated
Summary
The 'PuppyRaffle::selectWinner' function does not pick a verifiably random winner. Relying on properties of the Ethereum blockchain to compute a random number is considered pseudo-random and can be manipulated by miners.
Vulnerability Details
When winnerIndex is calculated it uses properties of the Ethereum blockchain such as msg.sender, block.timestamp, and block.difficulty to create a seed for the keccak256 hash function. The result is then used to compute a random index within the range of players.length.
Calculating a random number like this does provide a level of randomness; however, the data could potentially be manipulated through miner manipulation.
Impact
Potential manipulation of raffle winner. The winning player is picked using values that can be manipulated unfairly rather than by using a service that picks a verifiably random number.
Tools Used
-Foundry
Recommendations
Use an Oracle service such a Chainlink VRF to select a random number to determine the winner of the lottery.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.