Using deterministic randomness in `increaseValuesOfParticipants` allows the challenger to always win by predicting it before calling the function.
Summary
Deterministic randomness is being used in increaseValuesOfParticipants to decide the winner which makes the challenger to predict it before calling the function and make the other participant always lose.
Vulnerability Details
The vulnerability is present in the increaseValuesOfParticipants function where it uses randomness on the basis of already known variables resulting which the challenger predicting the randomness and only calling the function if the randomness is in their favor making the other participant to never win.
The randomness is calculated on the basis of block.timestamp, block.prevrandao and msg.sender.
For a txn in the same block before calling the function, these parameters will always be known to the challenger and thus randomness is deterministic and is not actually random, therefore allowing the challenger to only proceed with the txn if the randomness is in their favor and always win.
Impact
Challenger will always win and the other participant being passed by challenger will never win.
Tools Used
Manual Review
Recommendations
Use randomness in such a way that is not deterministic before calling the function, use services such as Chainlink VRF to generate randomness.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.