`RapBattle::battle()` uses a weak RNG
Summary
The RapBattle::battle() function relies on block.timestamp and block.prevrandao for randomness generation, a practice generally discouraged due to potential manipulation by calling contracts.
Vulnerability Details
The predictability of block.timestamp and block.prevrandao allows attackers to calculate the outcome in advance. Specifically, on the Arbitrum network, block.prevrandao is always set to 1, as noted in the Arbitrum documentation:
block.prevrandao: Returns the constant 1.
This constant value further exacerbates the issue of predictability.
Impact
Attackers could exploit this vulnerability by determining the outcome of battles before participating, enabling them to choose battles they are certain to win or engage in front-running tactics to secure an advantage.
Tools Used
Manual review.
Recommendations
To mitigate this vulnerability, it is advisable to integrate a decentralized oracle for random number generation, such as Chainlink`s VRF, which provides verifiable randomness that cannot be manipulated by participants or miners.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.