`ChoosingRam.sol::increaseValuesOfParticipants` is not verifiably random when choosing who's values will be increased
Summary
In ChoosingRam.sol::increaseValuesOfParticipants, when the Challenger's or Participant's ramNFT traits are being chosen to be increased, it is not done in a verifiably random way.
Vulnerability Details
When the winner is calculated, it uses properties of the Ethereum blockchain such as msg.sender, block.timestamp, and block.prevrandao to create a seed for the keccak256 hash function. The result is then used to compute a random value of either 0 or 1 to determine the winner.
Calculating a random number like this does provide a level of randomness; however, the data could potentially be manipulated through miner manipulation.
Impact
Potential manipulation when determining the winner. The winner is picked using values that can be manipulated unfairly rather than by using a service that picks a verifiably random number.
Tools Used
--Foundry
Recommendations
Use an Oracle service such a Chainlink VRF to select a random number to determine winner.
Lead Judging Commences
Weak randomness in `ChoosingRam::increaseValuesOfParticipants`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.