H-1: Source of Randomness can be manipulated resulting unfair advantage for malicious participants.
Summary
In "RapBattle.sol", the function "goOnStageOrBattle" implements an internal function "_battle" which uses an unfair source of randomness to generate a random number and pick a random winner between the "defender" and "challenger".
Vulnerability Details
The function "_battle" uses value like block.timestamp, block.prevrandao, msg.sender to generate a random number which can be either be influenced or viewed by the validators or miners on the mempools to get a more favorable outcome. A malicious participant with the help of a validator or a miner can Intentionally delay or expedite block production to get a slightly more favorable block.timestamp and win the RapBattle.
Impact
A malicious participant (defender or challenger) with the help of malicious validator with enough stake or with the ability to collude with other validators can influence the random number and win the Rap Battle unfairly.
Tools Used
Manual review
Recommendations
Use Chainlink VRF or any trusted decentralized oracle network to generate a provable fair random number.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.