The on-chain random number generation in RapBattle:_battle()
uses predictable block properties, enabling attackers to foresee battle outcomes. This flaw permits selective participation in only those battles that are predetermined to be won.
Attackers can deploy a contract that pre-calculates the outcome of a rap battle, leveraging predictable elements like block.timestamp
, block.prevrandao
, and msg.sender
. The contract opts to proceed with the RapBattle:goOnStageOrBattle()
call only if a win is assured, otherwise reverting to avoid loss.
This exploit undermines the contracts competitive integrity, allowing malicious actors to secure victories and rewards without risking their own CredToken
.
Manual Review,
Anvil,
Remix IDE
To mitigate this vulnerability, integrating a secure and unpredictable source of randomness, such as Chainlink VRF, is recommended,
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.