Weak randomness in `RapBattle::_battle` allows users to influence or predict the winning contester.
Description: Hashing msg.sender, block.timeStamp and bloc.prevrandao together creates a predictable final number. A predicatable number is not a good random number. Malicious users can manipulate these values or know them ahead of time to choose the winner of the Rap battle themselves.
Impact: Any user can influence the winner of the rap battle thus winning both the defender and challenger's bets. This would make the entire protocol worthless if it becomes a gas war as to who wins the rap battle.
Proof of Concept:
Validators can know ahead of time the block.timestamp and block.difficulty and use that to predict when/how to participate. See the solidity blog on prevrandao.
User can mine/manipulate their
msg.sendervalue to result in their address being used to generate the winner!Users can revert their
_battletransaction if they dont like the winner.
Using on-chain values as a randomness seed is a well-documented attack vector in the blockchain space.
Recommended Mitigation: Consider using a cryptographically provable random number generator such as Chainlink VRF.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.