Submission Details
Severity:
Random is predictable in battle
Summary
Random is predictable in battle
Vulnerability Details
In one battle, contract will generate one random number to decide who is the winner, defender or challenger. However, this random is predictable. Once there is one defender, potential challenger can pre-calculate the random number to check whether he can win in this battle. If yes, attend this battle. This can cause challenger always win by random number's pre-calculation.
function _battle(uint256 _tokenId, uint256 _credBet) internal {
address _defender = defender;
require(defenderBet == _credBet, "RapBattle: Bet amounts do not match");
uint256 defenderRapperSkill = getRapperSkill(defenderTokenId);
uint256 challengerRapperSkill = getRapperSkill(_tokenId);
uint256 totalBattleSkill = defenderRapperSkill + challengerRapperSkill;
uint256 totalPrize = defenderBet + _credBet;
uint256 random =
uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % totalBattleSkill;
Impact
Challenger can always choose the battle he can always win via random number pre-calculation.
Tools Used
Manual
Recommendations
Reconsider the random number.
Rewards breakdown
nSLOC
201This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.