Insecure Randomness in increaseValuesOfParticipants Allows Malicious Selection of Ram and Unauthorized Withdrawal of Funds
Summary
The increaseValuesOfParticipants function uses insecure randomness, allowing an attacker to predict and manipulate the random outcome to become Ram. Once selected, the attacker can call the withdraw function to drain the contract's funds due to the predictable selection process. Additionally, the withdraw function lacks the check-effect-interaction pattern, exposing the contract to potential reentrancy attacks.
Vulnerability Details
The increaseValuesOfParticipants function uses insecure randomness to decide whether to increase the values of the challenger or a participant. The random number is generated using the current block timestamp, block.prevrandao, and the msg.sender address:
Due to the predictability of these parameters, an attacker can manipulate the inputs to control the outcome of the random number generation, allowing them to unfairly select themselves as the Ram.
Once an attacker becomes Ram, they can exploit the withdraw function to withdraw funds:
Impact
Unauthorized Fund Withdrawal: An attacker can manipulate the randomness in increaseValuesOfParticipants to become Ram. Once selected, they can call the withdraw function and drain the contract's funds.
Tools Used
Manual review
Recommendations
Secure Randomness: Use a more secure method for generating randomness, such as Chainlink VRF or another verifiable random function.
Check-Effect-Interaction: Implement the check-effect-interaction pattern in the withdraw function to prevent reentrancy attacks
Lead Judging Commences
Weak randomness in `ChoosingRam::increaseValuesOfParticipants`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.