rarity of the prize token is not verifiably random - rarity can be manipulated
Summary
The 'PuppyRaffle::selectWinner' function does not pick a verifiably random value to determine the rarity of the prize token. Relying on properties of the Ethereum blockchain to compute a random number is considered pseudo-random and can be manipulated by miners.
Vulnerability Details
When rarity is calculated it uses properties of the Ethereum blockchain such as msg.sender, and block.difficulty to create a seed for the keccak256 hash function. The result is then used to compute a random value within the range of 0-99 to determine the rarity.
Calculating a random number like this does provide a level of randomness; however, the data could potentially be manipulated through miner manipulation.
Impact
Potential manipulation of the winners token rarity. The rarity of the token is picked using values that can be manipulated unfairly rather than by using a service that picks a verifiably random number.
Tools Used
-Foundry
Recommendations
Use an Oracle service such a Chainlink VRF to select a random number to determine the rarity of the prize token.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.