Weak PRNG due to a modulo on `block.timestamp` influenced by miners to some extent so they should be avoided.
Summary
block.timestamp in ChoosingRam::increaseValuesOfParticipants(uint256,uint256) and ChoosingRam::selectRamIfNotSelected() can be manipulated by miners to some extent, leading to predictable outcomes.
Vulnerability Details
ChoosingRam::increaseValuesOfParticipants(uint256,uint256) (src/ChoosingRam.sol#33-81) uses a weak PRNG: "random = uint256(keccak256(bytes)(abi.encodePacked(block.timestamp,block.prevrandao,msg.sender))) % 2 (src/ChoosingRam.sol#51-52)"
ChoosingRam::selectRamIfNotSelected() (src/ChoosingRam.sol#83-93) uses a weak PRNG: "random = uint256(keccak256(bytes)(abi.encodePacked(block.timestamp,block.prevrandao))) % ramNFT.tokenCounter() (src/ChoosingRam.sol#90)"
Impact
Dussehra::killRavana relies on block timestamps for critical logic. This can be manipulated by miners to a small extent.
Tools Used
Slither and Audit Wizard
Recommendations
Ensure the time windows are reasonable and consider alternative mechanisms if precise timing is critical.
Lead Judging Commences
Weak randomness in `ChoosingRam::increaseValuesOfParticipants`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.