First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Organizers can manipulate who wins selected Ram

josh4324

Summary

The ChoosingRam::selectRamIfNotSelected function is intended to select a ram if no user has been selected by the end of an event. However, the function relies on block parameters, specifically block.timestamp and block.prevrandao, to generate a random number for determining the ram. These values are deterministic and predictable, which allows the organizers or an attacker to manipulate the outcome.

Vulnerability Details

Function Affected: ChoosingRam::selectRamIfNotSelected

Parameters Used: block.timestamp, block.prevrandao

Issue: The use of predictable block parameters for random number generation.

Exploitation: An attacker or the organizers can predict the random number and manipulate the selection process to ensure a specific user is chosen as the ram.

Impact

Integrity: The fairness of the selection process is undermined, as the outcome can be influenced by those with knowledge of the deterministic values.

Tools Used

Manual Review

Recommendations

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.13;

import "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";

import "@chainlink/contracts/src/v0.8/interfaces/VRFCoordinatorV2Interface.sol";

contract ChoosingRam is VRFConsumerBaseV2 {

VRFCoordinatorV2Interface COORDINATOR;

uint64 s_subscriptionId;

bytes32 keyHash;

constructor(address vrfCoordinator, bytes32 _keyHash, uint64 subscriptionId, address _ramNFT)

VRFConsumerBaseV2(vrfCoordinator)

{

COORDINATOR = VRFCoordinatorV2Interface(vrfCoordinator);

keyHash = _keyHash;

s_subscriptionId = subscriptionId;

isRamSelected = false;

ramNFT = RamNFT(_ramNFT);

}

function requestRandomNumber() external {

COORDINATOR.requestRandomWords(

keyHash,

s_subscriptionId,

3, // Request confirmations

200000, // Callback gas limit

1 // Number of random words

);

}

function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {

uint256 randomResult = randomWords[0];

// Use the randomResult for your application logic

}

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak randomness in `ChoosingRam::selectRamIfNotSelected`

The organizer is trusted, but the function `ChoosingRam::selectRamIfNotSelected` uses a way to generate a random number that is not completely random.

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.