Weak randomness in `Streets::unstake` allows users to influence or predict the `Streets::daysStaked`.
Description: In the Streets::unstake function subtracting block.timestamp with stakes startTime and then dividing by 1 day creates a predictable find number. A predictable number is not a good random number. Malicious users can manipulate these values to update their rapperStats themselves according to their choice.
Impact: Any user can influence the rapperStats of the Rapbattle, manipulate RapBattle::BASE_SKILL, RapBattle::VIRTUE_INCREMENT, RapBattle::VICE_DECREMENT accourding to their choice. Making the entire OneShot::rapperStats worthless.
Proof of Concept:
Validators predicting
block.timestampcan significantly manipulate their participation.Users can predict the value and update the
rapperStatsof theRapbattle::getRapperSkillaccording to their choice, making their address the preferred one to manipulate therapperStats.
Recommended Mitigation: A cryptographically verifiable random number generator, such as Chainlink VRF, could substantially mitigate such issues.
Lead Judging Commences
Weak Randomness
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.