Weak Randomness Generation Using block.timestamp and block.prevrandao Can Be Manipulated in selectRamIfNotSelected functions
Summary
The ChoosingRam contract uses a weak method to generate random values, making it susceptible to manipulation. The contract combines block.prevrandao, block.timestamp, and msg.sender in the selectRamIfNotSelected function to produce a random value. However, this approach is flawed and can be exploited by malicious actors to influence the outcome of random events.
Vulnerability Details
Manipulable timestamps: A dishonest miner can manipulate block.timestamp to influence the generated random value.
Predictable historical randomness(prevrandao): Historical randomness provided by decentralized oracles is entirely predictable.
Limited unpredictability of future randomness: While future randomness is unpredictable to some extent, it can still be manipulated by miners or other actors.
Impact
Potential for malicious actors to exploit the vulnerability for personal gain.
Tools Used
Manual code review
Recommendations
Implement a decentralized randomness solution, like a decentralized oracle network or a consensus-based randomness protocol(chainlink randomness)
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.