Weak Source of Randomness
Summary
The PuppyRaffle contract relies on the use of the block.timestamp and the block.difficulty as a source of randomness in the selectWinner function. This method of generating randomness is not secure and can be manipulated by miners or attackers.
Vulnerability Details
The contract uses block.timestamp and block.difficulty to determine the winner in the selectWinner function. These variables are known to be a weak source of randomness in Ethereum, as miners have some control over these values. This means that miners or attackers can potentially manipulate the outcome of the raffle, compromising its fairness.
Impact
Medium: Depending on the level of manipulation, the weak source of randomness can significantly impact the fairness and integrity of the raffle, allowing malicious actors to potentially control the outcome.
Tools Used
Manual review of the smart contract code.
Recommendations
To address the issue of weak randomness, consider implementing the following recommendations:
-
Implement a secure source of randomness, such as Chainlink VRF (Verifiable Random Function), to select the winner in the
selectWinnerfunction. This will provide a tamper-resistant source of randomness and enhance the fairness of the raffle. -
Avoid relying on
block.timestampandblock.difficultyfor critical randomness in the contract. These values are best suited for non-security-critical purposes.
By implementing these recommendations, the contract can significantly improve the integrity of the raffle.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.