Using `block.timestamp` and `block.prevrandao` as sources of randomness is susceptible to manipulation by miners
Summary
Sources of randomness are hard to get in a deterministic system like the blockchain. Current built-in randomness sources (block.timestamp and block.prevrandao) can be somehow manipulated by the miners.
Vulnerability Details
block.timestamp and block.prevrandao should not be used as sources of randomness, because they can be manipulated by miners:
https://medium.com/@alexbabits/why-block-prevrandao-is-a-useless-dangerous-trap-and-how-to-fix-it-5367ed3c6dfc
https://ethereum.stackexchange.com/questions/143504/blockhash-and-block-timestamp-manipulation-in-pos
https://soliditydeveloper.com/prevrandao
Impact
Function ChoosingRam::increaseValuesOfParticipants and ChoosingRam::selectRamIfNotSelected are susceptible to manipulation due to weak randomness used to generate values for random variable. Also,
Tools Use
Manual review
Recommendations
Use a trust randomness provider, such as Chainlink's VRF.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.