First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak randomness in `RapBattle::_battle` allows users to influance or predict the bet winner and get the money.

badal_sharma09

Description: Hashing msg.sender, block.timestamp, and block.prevrandao togather and then % by totalBattleSkill create predictable find number. A predictable number is not a good random number. Malacious users can manupulate this values to choose winner of the RapBattale themselves.

uint256 random =
uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % totalBattleSkill;

Impact: Any user can infulance the winner of the Rapbattle, winning the money. Making the entire RapBattle worthless if it becomes a gas war as who win the RapBattle.

Proof of Concept:

  1. Validators predicting block.timestamp and block.prevrandao can significantly manipulate their participation.

  2. Users can modify their message sender value, making their address the preferred one to determine the winner.

  3. Transactions, such as select winner, can be reverted by users if the result doesn't meet their satisfaction.

Recommended Mitigation: A cryptographically verifiable random number generator, such as Chainlink VRF, could substantially mitigate such issues.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Randomness

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.