Weak source of randomness in `ChoosingRam::increaseValuesOfParticipants` function can lead to unfair value increase of participants.
Summary
The ChoosingRam::increaseValuesOfParticipants function uses a weak source of randomness based on block.timestamp, block.prevrandao, and msg.sender, which can be influenced by miners or callers. This vulnerability could allow a malicious participant to manipulate the outcome to unfairly increase their chances of becoming Ram.
Vulnerability Details
ChoosingRam::increaseValuesOfParticipants function allows to increase value of participants. Winner is being determined by random number, if random number is 0 then winner is challenger and if random number is 1 then winner is selected participant.
Problem arises because random number is being generated by values that could be manipulated by miner: block.timestamp, block.prevrandao. Also caller (or miner) can manipulate msg.sender because new addresses could be easily mined. It means that winner of this function call can be manipulated which is unfair advantage.
Impact
Randomness is weak, malicious participant can potentially easily increase value of NFT and be selected Ram, therefore gaining advantage over other participants. Due to random number generation, participant can become selected Ram in single block.
Tools Used
Manual review
Recommendations
Recommendation is to use Chainlink VRF to generate random numbers.
Lead Judging Commences
Weak randomness in `ChoosingRam::increaseValuesOfParticipants`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.