First Flight #17: Dussehra

Summary

Any user can manipulate the selection process for "Ram" by guessing the random number and waiting for the right moment, compromising the fairness and integrity of the selection.

Vulnerability Details

Generating random numbers based on block data is not secure, as an attacking contract can precalculate it and make decisions in its favor. In this case, a hash generated from block.timestamp, block.prevrandao, and msg.sender is being used.An attacker can predict the random number by calculating it off-chain before interacting with the contract. By choosing the optimal moment to call the function, the attacker can ensure that the random number will be either 0 or 1, depending on their needs.

An attacker can use the predictability of the random number to manipulate the characteristics updates in their favor. Here’s a step-by-step exploitation scenario:

Prediction: The attacker predicts the random number by calculating it off-chain using the current block timestamp, previous random number, and their own address.

Optimal Timing: Based on the prediction, the attacker chooses the optimal time to call the function.

Function Call: The attacker calls the increaseValuesOfParticipants function at the chosen moment to ensure their desired outcome, either updating their own characteristics or those of another participant.

Impact

An attacker can easily predict the random outcome, allowing manipulation of the selection process for "Ram," compromising the fairness and integrity of the event.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, it is recommended to use a more secure source of randomness, such as Chainlink VRF (Verifiable Random Function). Chainlink VRF provides a secure and verifiable random number generation mechanism that is tamper-proof and cannot be predicted by attackers.