Weak source of randomness, can allow malicious users to predict the outcome value and win battles.
Summary
The RapBattle::_battle function includes block.timestamp and block.prevrandao as a source of randomness to determine rap battle winners. However using variables that provide information about the blockchain properties as a random number generator is commonly advised against, as the outcome can be manipulated by calling accounts.
Vulnerability Details
Imagine the following scenario:
An attacker can run a strong miner/validator node in the blockchain network, as they can know the
block.timestampandblock.prevrandaoin ahead of time and use that advantage to calculate if he will win or decide whether to participate or not in the rap battle.Additionally
msg.senderis also used in determining the result. So an attacker can manipulate their address value to gain a winning position.
Impact
Likelihood: Medium, although the user has incentive to exploit this, certain circumstances must be met to succeed.
Impact: High as malicious validator can influence on these variables to gain benefit. An attacker basically can win unfairly.
Tools Used
Manual Review
Recommendations
Use decentralized oracle for generation of randomness, such as Chainlink VRF.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.