Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: low
Valid

Deterministic randomness used in `ChoosingRam::selectRamIfNotSelected` makes the node operator to manipulate the transaction execution to get a favorable outcome

Summary

The ChoosingRam::selectRamIfNotSelected uses randomness in order to select a user as Ram, but the parameters used to generate randomness are deterministic and will be known to the node operator executing the transaction and thus allows them to execute the transaction at certain point which makes the outcome favorable for them.

Vulnerability Details

The vulnerability is present in the ChoosingRam::selectRamIfNotSelected function where it uses randomness which is deterministic as all the parameters used to generate it will be known already before executing the transaction.

It uses block.timestamp and block.prevrandao, and both of these parameters will already be known, and therefore a node operator executing the transaction will execute the transaction at certain point of time at which the values of these parameters makes the outcome in their favor.

Even though the organizer can also manipulate the executing of transaction in order to make a particular user as Ram by executing the transaction at a point at which those parameters provide the randomness they want.

Impact

Predictable randomness allows node operator to manipulate transaction outcome according to their choice.

Tools Used

Manual Review

Recommendations

Use a randomness which cannot be predicted, such as chainlink VRF.

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak randomness in `ChoosingRam::selectRamIfNotSelected`

The organizer is trusted, but the function `ChoosingRam::selectRamIfNotSelected` uses a way to generate a random number that is not completely random.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.