Weak randomness in `RapBattle::_battle` function allows the challenger to predict the winner beforehand
Summary
Weak randomness in RapBattle::_battle function allows the challenger to predict the winner beforehand. The challenger can simulate a scenario where he/she enters at the right, pre-determined moment to win the rap battle.
Vulnerability Details
Blockchain is a deterministic entity. Thus, using any of the blockchain specific variables to generate random values produces weak randomness. The random value can be predicted beforehand and the result influenced.
In RapBattle::_battle function, the random value to pick a winner is calculated by hashing block.timestamp, block.prevrandao, and msg.sender, creating a predictable value, and thus, a predictable winner. A malicious challenger can calaculate the exact time and block difficulty when he/she could win the rap battle. This defeats the purpose of the protocol -- to provide fair rap battles to rappers.
Impact
The ability to influence the outcome of the rap battle lies in the hands of the challengers. The defenders enter the rap battle beforehand, so they play no part in this exploit. The defenders are doomed to lose their credibility token bet.
Tools Used
Foundry, VSCodium.
Recommendations
Use a cryptographically provable random number generator such as Chainlink VRF.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.