There is No Randomness in selectWinner()
Summary
Randomness is not truly random and user can use this to choose themselves as winner and get a legendary puppy.
Vulnerability Details
Winner and rarity is calculated as:
The variables under consideration are not completely randomized and their outcomes can be predicted. These values are accessible to any miner. Any other transaction within the same mined block has the ability to read these quantities. The situation can further deteriorate as these values are susceptible to manipulation if the attacker also happens to be a miner.
Hence it is possible for a miner to manipulate timestamp and difficulty in order to choose themselves as winner and get the rarest puppy. Let's not forget that this function is external and anyone can call it.
Impact
Main functionality of the protocol (raffle) is broken. It is hackable by miners and is not provide valid randomness. Impact is high and likelihood is medium, hence I consider this as high.
Tools Used
Manual Review
Recommendations
Find a better way to create randomness. Chainlink VRF is a good example.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.