### [H-3] `ChoosingRam::increaseValuesOfParticipants` function has predictable randomness because it uses `block.timestamp` and `block.prevrandao`.
[H-3] ChoosingRam::increaseValuesOfParticipants function has predictable randomness because it uses block.timestamp and block.prevrandao. A malicious user can call the function only when it is guaranteed to benefit him.
Description: This is a known issue in Solidity and you can read more about it here https://soliditydeveloper.com/prevrandao.
Another instance of this issue is present in the ChoosingRam::selectRamIfNotSelected function. This allows the organiser to predict the winner before calling the function.
Impact: A malicious user can compute the value of the random variable before calling the ChoosingRam::increaseValuesOfParticipants function. uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % 2;. If the outcome is favorable for the attacker, he allows the call to happen, if the outcome is not favorable, he reverts the transaction until the value of random is zero so that it benefits him.
Proof of Concepts: The purpose of the contract below is to demonstrate how a malicious user can precompute the random value before calling the ChoosingRam::increaseValuesOfParticipants function, and only call it if he is guaranteed to win and update the values of his own NFT.
Recommended mitigation: Consider using Chainlink's VRF or a similar service in order to generate random numbers.
Lead Judging Commences
Weak randomness in `ChoosingRam::increaseValuesOfParticipants`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.