The internal _battle function contains an unsafe random function that could be exploited by a malicious user
Summary
The provided code includes a vulnerability related to the usage of the keccak256 hashing algorithm for generating randomness. The random variable, which influences the outcome of the battle, relies on a deterministic method that uses the block timestamp, previous random value, and the sender's address. This approach is deemed unsafe due to the predictability of the generated values.
Vulnerability Details
The vulnerable code segment is as follows in _battle function in RapBattle file:
Here, the keccak256 hash function is used to generate a pseudo-random number for determining the outcome of a battle. However, relying on block information and sender's address for randomness introduces predictability, making the system susceptible to manipulation.
Impact
The impact of using an insecure randomness generation method in the context of a battle function is significant. It may allow malicious actors to exploit the predictability of the generated random values, potentially gaining an unfair advantage in battles.
Tools Used
Manual Review
Recommendations
To enhance the security and unpredictability of randomness in the _battle function, it is recommended to replace the current method with a more robust and secure randomness generation solution. One such solution is the Chainlink Verifiable Random Function (VRF), a decentralized oracle network that provides secure and tamper-resistant randomness.
By integrating Chainlink VRF, the application can ensure a more secure and unbiased source of randomness, reducing the risk of manipulation and providing a fairer gaming experience.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.