'RapBattle.sol::_battle' is not verifiably random when selecting a winner
Summary
The 'RapBattle.sol::_battle' function does not pick a verifiably random winner. Relying on properties of the Ethereum blockchain to compute a random number is considered pseudo-random and can be manipulated by miners.
Vulnerability Details
When random is calculated, it uses properties of the Ethereum blockchain such as block.timestamp, block.prevrandao, and msg.sender to create a seed for the keccak256 hash function. The result is then used to compute a random index within the range of totalBattleSkill.
Calculating a random number like this does provide a level of randomness; however, the data could potentially be manipulated through miner manipulation.
Impact
Potential manipulation of rap battle winner. The winning rapper is picked using values that can be manipulated unfairly rather than by using a service that picks a verifiably random number.
Tools Used
--Foundry
Recommendations
Use an Oracle service such a Chainlink VRF to select a random number to determine the winner of the rap battle.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.