The generation of a random number in the code is achieved by hashing msg.sender
, block.timestamp
, and block.prevrandao
together. However, this approach results in a random number that is predictable, which is not ideal for randomness. The predictability stems from the fact that malicious users can either manipulate these values or anticipate them in advance, thereby gaining an unfair advantage in becoming the chosen ram.
Here's the specific segment of the code responsible for the random number generation:
This portion of the code is crucial as it directly influences the selection of the ram, making it a potential target for exploitation.
Users can anticipate the block.timestamp
and block.prevrandao
values, which allows them to strategize their participation. For more information, you can refer to this article on prevrandao.
Users have the ability to adjust their msg.sender
value, which could lead to their address being selected as the Ram.
Outcome Prediction:
If a user can foresee the random number, they can sway the result of the increaseValuesOfParticipants
function. In particular, they can control the update of the challenger or participant's traits.
It's important to note that using on-chain values for generating randomness is a known security risk in blockchain technology.
Any user can influence becoming the chosen ram. Making the entire protocol worthless if it becomes a gas war as to who is the chosen ram
Foundry
Consider using Chainlink VRF or a similar verifiable random function to provide truly random numbers that cannot be predicted.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.